Securing sessions

Session timeout

User sessions are controlled with the ttl (time-to-live) property, which is set in the Cloudera Manager Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini property as follows:

[desktop]
     [[session]]
     ttl=[***NUMBER-OF-SECONDS***]

The default setting for ttl is 1,209,600 seconds, which equals two weeks. The ttl property determines the length of time that the cookie with the user's session ID lives before expiring. After the ttl setting is reached, the user's session expires whether it is active or not.

Idle session timeout

Idle sessions are controlled with the idle_session_timeout property, which is set in the Cloudera Manager Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini property as follows:

[desktop]
     [[auth]]
     idle_session_timeout=[***NUMBER-OF-SECONDS***]

Sessions expire that are idle for the number of seconds set for this property. For example, if you set idle_session_timeout=900, sessions expire after being idle for 15 minutes. You can disable the property by setting it to a negative value, like idle-session_timeout=-1.

Secure session login

Session login properties are set under the [desktop] [[auth]] section in the Cloudera Manager Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini property as follows:

[desktop]
     [[auth]]
     [***SET-SESSION-LOGIN-PARAMETERS-HERE***]

Use the following properties to configure session login behavior:


`change_default_password`	Valid values: true \| false If this property is set to true, users must change their passwords on first login attempt. Example: `[desktop] [[auth]] change_default_password=true` To use this property, you must enable the `AllowFirstUserDjangoBackend` in Hue. For example: `[desktop] [[auth]] backend=desktop.auth.backend.AllowFirstUserDjangoBackend`
`expires_after`	Use this property to configure the number of seconds after logout that user accounts are disabled. For example, user accounts are disabled 900 seconds or 15 minutes after logout with the following configuration: `[desktop] [[auth]] expires_after=900` If you set this property to a negative value, user sessions never expire. For example, `expires_after=-1`.
`expire_superusers`	Use to expire superuser accounts after the specified number of seconds after logout. For example, `expire_superusers=900` causes superuser accounts to expire 15 minutes after logging out.
`login_cooloff_time`	Sets the number of seconds after which failed logins are forgotten. For example, if you set `login_cooloff_time=900`, a failed login attempt is forgotten after 15 minutes.
`login_failure_limit`	Sets the number of login attempts allowed before a failed login record is created. For example, if you set `login_failure_limit=3`, a failed login record is created after 3 login attempts.
`login_lock_out_at_failure`	Valid values: true \| false If set to `true`: The IP address that is attempting to log in is locked out after exceeding the limit set for `login_failure_limit`. If `login_lock_out_by_combination_user_and_ip` is also set to `true`, both the IP address and the user are locked out after exceeding the limit set for `login_failure_limit`. If `login_lock_out_use_user_agent` is also set to `true`, both the IP address and the agent application (such as a browser) are locked out after exceeding the limit set for `login_failure_limit`.
`login_lock_out_by_combination_user_and_ip`	Valid values: true \| false If set to `true`, both the IP address and the user are locked out after exceeding the limit set for `login_failure_limit`.
`login_lock_out_use_user_agent`	Valid values: true \| false If set to `true`, the agent application (such as a browser) is locked out after exceeding the limit set for `login_failure_limit`.

Secure session cookies

Session cookie properties are set under the [desktop] [[session]] section in the Cloudera Manager Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini property as follows:

[desktop]
     [[session]]
     [***SET-SESSION-COOKIE-PROPERTIES-HERE***]

Use the following properties to configure session cookie behavior:


`secure`	Valid values: true \| false If this property is set to `true`, the user session ID is secured. important To use this property, HTTPS must be enabled. Example: `[desktop] [[session]] secure=true` By default this property is set to `false`.
`http_only`	Valid values: true \| false If this property is set to `true`, the cookie with the user session ID uses the HTTP only flag. Example: `[desktop] [[session]] http_only=true` important If the `HttpOnly` flag is included in the HTTP response header, the cookie cannot be accessed through a client side script. By default this property is set to `true`.
`expire_at_browser_close`	Valid values: true \| false If this property is set to `true`, only session-length cookies are used. Users are automatically logged out when the browser window is closed. Example: `[desktop] [[session]] expire_at_browser_close=true` By default this property is set to `false`.