oliwel
oliwel•12mo ago

Limit Zitadel login to browser session

Hi, just stumbled over a somewhat severe issue 😦 In some parts of our organisation people use "shared desktops" (PC clients without personal login accounts) and while the users are trained to close the browser when leaving the machine, they do not understand that they need to terminate the Zitadel session separately (which is also a bit cumbersome as we blocked the login for users to prevent them from changing their user data). I found several settings on the lifetime of tokens but I did not find any place where to limit the cookie lifetime for the Zitadel login session to the browser session. If this is not yet implemented, is there any documentation how to link a custom login ui with the regular OIDC IDP workflow?
Oli
7 Replies
FFO
FFO•12mo ago
Hm, do you use our hosted login or did you create your own? If you create your own you could opt storing the cookies into the session_storage.
oliwel
oliwelOP•12mo ago
I am using the regular login shipped with the product atm ( /ui/login ) @FFO Any ideas on this? ITSec is telling me we need to solve this ASAP
FFO
FFO•12mo ago
I think the settings under /ui/console/instance?id=login could work for you When you combine them with your application prompting for authentication per oidc prompt. But if we are talking desired outcome... you want that people need to reauthenticate if they close their browser?
oliwel
oliwelOP•12mo ago
@FFO There are some timeouts I can configure but I do not see anything related to cookie/session management... And yes the desired outcome is to force the user to reauthenticate after closing the browser, from testing in the console it should be suffcient to set the cookie validity to "session" for the "zital.useragent" cookie. I think I found it 😄 it seems not to be avail in the UI but in the yaml configuration there is 
UserAgentCookie:
  Name: zitadel.useragent # ZITADEL_USERAGENTCOOKIE_NAME
  # 8760h are 365 days, one year
  MaxAge: 8760h # ZITADEL_USERAGENTCOOKIE_MAXAGE
UserAgentCookie:
  Name: zitadel.useragent # ZITADEL_USERAGENTCOOKIE_NAME
  # 8760h are 365 days, one year
  MaxAge: 8760h # ZITADEL_USERAGENTCOOKIE_MAXAGE
Setting MaxAge: 0h lets the cookie expire on browser close.
FFO
FFO•11mo ago
Perfect, thanks for sharing! Yeah that config is currently only available for self-hosted systems 😄
oliwel
oliwelOP•11mo ago
@FFO yeah...and it turned out that the user experience is soooo bad that we just reset it 😆 For the Whislist: A checkbox on login "I am using a public PC" which prevents any objects being stored beyond browser close.
Unknown User
Unknown User•11mo ago
Message Not Public
Sign In & Join Server To View

Did you find this page helpful?