Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

As a user who has left my computer, I should be logged out after a period of inactivity, so my account remains secure (AC-2(5), AC-12) #79

Closed
rahearn opened this issue Oct 7, 2020 · 5 comments · Fixed by #133
Closed

As a user who has left my computer, I should be logged out after a period of inactivity, so my account remains secure (AC-2(5), AC-12) #79

rahearn opened this issue Oct 7, 2020 · 5 comments · Fixed by #133
Assignees
@jasalisbury
Labels
8 Story Points In epic 8 Issue is a child in the indicated parent epic security-control V1.0 MVP Indicates the release version for the issue
Milestone
sprint4

Comments

@rahearn
Copy link
Contributor

rahearn commented Oct 7, 2020
edited by pamlo412
Loading

User story:
As a user who has left my computer for 25 minutes or longer, I want the system to log me out of Smart Hub so the site remains secure.

Acceptance Criteria:

  1. After 25 minutes of inactivity, the user is given a warning and option to continue session.
  2. If the user clicks anywhere on the screen, the message is dismissed and the session is restarted.
  3. If the user doesn't click anywhere on the screen, then at the 30 minute mark, the system logs the user out of Smart Hub and redirects them to the Welcome page.
  4. The length of the inactivity timeout is easily configurable (a config file is fine).

Considerations:

  • HSES's timeout will not affect our users.

Exclusions:

  • design by Aricka - she'll review what the developers build and if we need changes, they'll go into another story.
  • autosaving of work before timeout - Saving an Activity Report #98
  • locking of screen (rather than logout) - not needed
@pamlo412 pamlo412 mentioned this issue Oct 7, 2020
Open
@rahearn
Copy link
Contributor Author

rahearn commented Oct 8, 2020

Seems like there's supposed to be a 15 minute session lock, and a 30 minute session termination timeout. Asking for clarity from IPT on the practical differences between lock and termination for a web app.

@pamlo412 pamlo412 added this to the sprint3 milestone Oct 13, 2020
@pamlo412 pamlo412 removed this from the sprint3 milestone Oct 13, 2020
@rahearn
Copy link
Contributor Author

rahearn commented Oct 21, 2020

We can ignore the 15 minute session lock and only implement the 30 minute session termination

@pamlo412 pamlo412 added the 8 Story Points label Oct 27, 2020
@pamlo412
Copy link
Contributor

Added screen lock to list of exclusions. Assigned 8 points based on discussion with @kryswisnaskas and @jasalisbury

@pamlo412 pamlo412 added this to the sprint4 milestone Oct 27, 2020
@jasalisbury jasalisbury self-assigned this Oct 28, 2020
@pamlo412 pamlo412 mentioned this issue Oct 30, 2020
Open
@pamlo412 pamlo412 added In epic 8 Issue is a child in the indicated parent epic V1.0 MVP Indicates the release version for the issue labels Oct 31, 2020
@jasalisbury jasalisbury mentioned this issue Nov 2, 2020
Merged
3 tasks
@rahearn rahearn changed the title As a user who has left my computer, I should be logged out after a period of inactivity, so my account remains secure As a user who has left my computer, I should be logged out after a period of inactivity, so my account remains secure (AC-12) Nov 3, 2020
@rahearn rahearn changed the title As a user who has left my computer, I should be logged out after a period of inactivity, so my account remains secure (AC-12) As a user who has left my computer, I should be logged out after a period of inactivity, so my account remains secure (AC-2(5), AC-12) Nov 3, 2020
This was referenced Nov 5, 2020
Closed
Merged
@jasalisbury jasalisbury mentioned this issue Nov 5, 2020
Merged
3 tasks
@rahearn
Copy link
Contributor Author

rahearn commented Nov 6, 2020

Definition of done:

  • The business and/or user value of a story has been met
  • CI pipeline green
  • Code is meaningfully tested
  • No linting errors or warnings
  • UI meets WCAG 2.1 - Levels A and AA
  • Code has deployed to a staging environment
  • Security scans have passed
  • Architectural Decision Records are written for major infrastructure decisions with the Nygard template.
  • Boundary and Data Flow Diagrams are updated when a change invalidates the current version.
  • Logical Data Model Diagram is updated on DB schema changes.
  • Public API methods are documented when added or changed.

@pamlo412
Copy link
Contributor

pamlo412 commented Dec 9, 2020

Screen shot of timeout warning:
image

rahearn pushed a commit that referenced this issue Jan 5, 2021
@jasalisbury
Merge pull request #79 from adhocteam/js-52-assign-permissions-frontend
752046a 
Assign permissions - frontend
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jasalisbury jasalisbury

Labels
8 Story Points In epic 8 Issue is a child in the indicated parent epic security-control V1.0 MVP Indicates the release version for the issue
Projects
None yet
Milestone
sprint4
Development

Successfully merging a pull request may close this issue.

Logout when inactive adhocteam/Head-Start-TTADP
3 participants
@rahearn @jasalisbury @pamlo412