Securing sessions

Securing the Hue sessions ensures that authenticated user access remains protected throughout the lifetime of the web sessions. Additionally, when a Hue session expires, the screen blurs and the user automatically logs out the web interface.

The (sessionid) session cookie is a target for security vulnerabilities. If an attacker obtains this cookie, they can hijack or reuse active Hue sessions to impersonate the user without authenticating. Unauthorized access can lead to data exposure, unauthorized query execution, and job submission across connected Hue services.

Session timeout

User sessions are controlled with the ttl (time-to-live) property, which is set in the Cloudera Manager Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini property as follows:

[desktop]
     [[session]]
     ttl=[***NUMBER-OF-SECONDS***]

The default setting for ttl is 1,209,600 seconds, which equals two weeks. The ttl property determines the length of time that the cookie with the user's session ID lives before expiring. After the ttl setting is reached, the user's session expires whether it is active or not.

Idle session timeout

Idle sessions are controlled with the idle_session_timeout property, which is set in the Cloudera Manager Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini property as follows:

[desktop]
     [[auth]]
     idle_session_timeout=[***NUMBER-OF-SECONDS***]

Sessions expire that are idle for the number of seconds set for this property. For example, if you set idle_session_timeout=900, sessions expire after being idle for 15 minutes. You can disable the property by setting it to a negative value, like idle-session_timeout=-1.

Secure session login

Session login properties are set under the [desktop] [[auth]] section in the Cloudera Manager Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini property as follows:

[desktop]
     [[auth]]
     [***SET-SESSION-LOGIN-PARAMETERS-HERE***]

Use the following properties to configure session login behavior:


`change_default_password`	Valid valuesValid values: `true` \| `false` If this property is set to true, users must change their passwords on first login attempt. Example: `[desktop] [[auth]] change_default_password=true` To use this property, you must enable the `AllowFirstUserDjangoBackend` in Hue. For example: `[desktop] [[auth]] backend=desktop.auth.backend.AllowFirstUserDjangoBackend`
`expires_after`	Use this property to configure the number of seconds after logout that user accounts are disabled. For example, user accounts are disabled 900 seconds or 15 minutes after logout with the following configuration: `[desktop] [[auth]] expires_after=900` If you set this property to a negative value, user sessions never expire. For example, `expires_after=-1`.
`expire_superusers`	Use to expire superuser accounts after the specified number of seconds after logout. For example, `expire_superusers=900` causes superuser accounts to expire 15 minutes after logging out.
`login_cooloff_time`	Sets the number of seconds after which failed logins are forgotten. For example, if you set `login_cooloff_time=900`, a failed login attempt is forgotten after 15 minutes.
`login_failure_limit`	Sets the number of login attempts allowed before a failed login record is created. For example, if you set `login_failure_limit=3`, a failed login record is created after 3 login attempts.
`login_lock_out_at_failure`	Valid values: `true` \| `false` If set to `true`: The IP address that is attempting to log in is locked out after exceeding the limit set for `login_failure_limit`. If `login_lock_out_by_combination_user_and_ip` is also set to `true`, both the IP address and the user are locked out after exceeding the limit set for `login_failure_limit`. If `login_lock_out_use_user_agent` is also set to `true`, both the IP address and the agent application (such as a browser) are locked out after exceeding the limit set for `login_failure_limit`.
`login_lock_out_by_combination_user_and_ip`	Valid values: `true` \| `false` If set to `true`, both the IP address and the user are locked out after exceeding the limit set for `login_failure_limit`.
`login_lock_out_use_user_agent`	Valid values: `true` \| `false` If set to `true`, the agent application (such as a browser) is locked out after exceeding the limit set for `login_failure_limit`.

Secure session cookies

Session cookie properties are set under the [desktop] [[session]] section in the Cloudera Manager Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini property as follows:

[desktop]
     [[session]]
     [***SET-SESSION-COOKIE-PROPERTIES-HERE***]

Use the following properties to configure session cookie behavior:


`secure`	Valid values: `true` \| `false` If this property is set to `true`, the user session ID is secured. important To use this property, HTTPS must be enabled. Example: `[desktop] [[session]] secure=true` By default this property is set to `false`.
`http_only`	Valid values: `true` \| `false` If this property is set to `true`, the cookie with the user session ID uses the HTTP only flag. Example: `[desktop] [[session]] http_only=true` important If the `HttpOnly` flag is included in the HTTP response header, the cookie cannot be accessed through a client side script. By default this property is set to `true`.
`expire_at_browser_close`	Valid values: `true` \| `false` If this property is set to `true`, only session-length cookies are used. Users are automatically logged out when the browser window is closed. Example: `[desktop] [[session]] expire_at_browser_close=true` By default this property is set to `false`.

Session security and validation

Session security is set to moderate by default. You can configure the security validation strictness based on your environment requirements. Use the following properties in the [desktop] [[session]] section to define session security behavior:


`same_site`	Valid values: `Strict` \| `Lax` \| `None` Default value: `Lax` Specifies the SameSite attribute for session cookies to prevent Cross-Site Request Forgery (CSRF). `Lax`: Provides CSRF protection while allowing SAML and OIDC authentication flows. `Strict`: Provides maximum security by ensuring cookies are only sent in a first-party context. This setting can prevent SAML or OIDC authentication from functioning correctly. `None`: Disables SameSite protection. If you use this setting, you must also set the secure property to true.
`session_validation_mode`	Valid values: `strict` \| `moderate` \| `moderate_vpn` \| `permissive` \| `off` Default value: `moderate` Specify the strictness of session validation to prevent session hijacking. `strict` : Set to require an exact IP address and User-Agent match. This provides the highest level of security. `moderate` Set to require a subnet and User-Agent family match with a grace period. `moderate_vpn`: Set to use a wider subnet match. This is intended for environments where users access the system through a Virtual Private Network (VPN). `permissive`: Set to validate the User-Agent only and enable audit logging. `off`: Set to disable session validation. Example for disabling security validation `[desktop] [[session]] session_validation_mode=off`
`Session_ip_validation`	Valid values: `true` \| `false` Default value: `true` Enables IP address validation for sessions. `true` : Set this property, Hue validates that the incoming request IP address matches the session's original IP address. `false`: Set to disable the IP validation
`Session_ip_subnet_bits`	Valid values: `8` \| `16` \| `24` \| `32` Default value: `24` Defines the number of bits used for IP subnet mask validation. `32`: Set to require an exact IP address match for the session. `24` : Set to validate the session against a /24 subnet. This ensures the user remains on the same network. `16` : Set to validate the session against a /16 subnet. This allows for a wider range of IP addresses, such as in environments with a Virtual Private Network (VPN). `8` : Set to validate the session against an /8 subnet
`session_user_agent_validation`	Valid values: `true` \| `false` Default value: `true` Enables User-Agent validation for sessions to protect against session hijacking from different browsers or devices. `true` : Set to validate the User-Agent string of the client. Ensures that the browser or device identity remains consistent throughout the session. `false`: Set to disable the user agent validation.
`session_user_agent_match`	Valid values: `exact` \| `family` Default value: `family` Sets the strictness of the User-Agent matching process. `exact`: Set to require an exact match of the User-Agent string. This ensures that the session is restricted to the specific browser version and operating system used at login. `family`: Set to match only the browser family, such as Chrome or Firefox. This allows for minor browser updates or sub-version changes without invalidating the session
`session_allow_ip_changes`	Valid values: -1 to Number Default value: `1` Defines the maximum number of IP address changes allowed within the grace period before the system requires re-authentication. `-1`: Set to allow an unlimited number of IP address changes. `0`: Set to prevent any IP address changes. This requires you to re-authenticate if your IP address changes. `1`: Set to allow one IP address change. This is the default setting and is intended to support users on a Virtual Private Network (VPN).
`session_ip_change_grace_period`	Valid values: `seconds` Default value: `300` Defines the grace period, in seconds, for IP address changes. This period allows for network transitions, such as connecting to or disconnecting from a Virtual Private Network (VPN), without requiring you to log in again immediately. For example, the default setting is 300 seconds. After this period expires, any detected IP address change requires you to re-authenticate.
`session_rotation_on_ip_change`	Valid values: `true` \| `false` Default value: `true` Determines whether to generate a new session ID when an IP address change is detected. `true`: Set to rotate the session ID when an IP address change occurs. This is the preferred setting for higher security. `false`: Set to disable the session IP address rotation.
`session_security_audit_log`	Valid values: `true` \| `false` Default value: `true` Enables detailed audit logging for session security events. `true`: Set to record detailed audit logs for events such as IP address changes and validation failures. Hue writes these logs to the Hue security log. `false`: Set to disable detailed audit logging for session security events.