Comment 8 for bug 1842930

Revision history for this message
Akihiro Motoki (amotoki) wrote :

> Thank you for pointing the SESSION_TIMEOUT option. I was looking through Horizon options to mitigate this problem and thought about using it.

For more detail, there are two options involved in horizon.
- SESSION_TIMEOUT
- SESSION_REFRESH
If SESSION_REFRESH is set to True (current default), a shorter SESSION_TIMEOUT would not matter for most cases.

> So is the default keystonemiddleware cache expiration time in such deployment equals to 300 sec? Although I can look up token's expiration time, issuing "openstack token issue" command.

The default value is defined here [1].
You can test the timeout of keystonemiddlware cache using curl.
[2] is an example in my devstack environment. L.39-49 retrieves a token before the user is deleted and tests it works. L.81 confirms the token is still valid just after the user is deleted. I confirmed the curl command failed with auth error a couple of minuites later (though the paste does not cover it). You can try the similar.

[1] https://opendev.org/openstack/keystonemiddleware/src/branch/master/keystonemiddleware/auth_token/_opts.py#L107-L112
[2] http://paste.openstack.org/show/777693/