diff --git a/ssoauth/checks.py b/ssoauth/checks.py index abc8a1d05b193cff324384e34817731cca3f2ab6..d68d8009770e7ae20baf482e5e522cea8b0c816b 100644 --- a/ssoauth/checks.py +++ b/ssoauth/checks.py @@ -134,15 +134,15 @@ def auth_urls_configured(app_configs, **kwargs): @register(Tags.security) def session_lifetime(app_configs, **kwargs): errors = list() - max_wanted = 60 * 60 # seconds - if conf.settings.SESSION_COOKIE_AGE > max_wanted and not conf.settings.SESSION_EXPIRE_AT_BROWSER_CLOSE: + max_wanted = 10 * 60 * 60 # in seconds + if conf.settings.SESSION_COOKIE_AGE > max_wanted or conf.settings.SESSION_COOKIE_AGE is 0: errors.append(Error( - "Please reduce SESSION_COOKIE_AGE to at most {max_wanted} or set SESSION_EXPIRE_AT_BROWSER_CLOSE = True".format(**locals()), + "Please reduce SESSION_COOKIE_AGE to at most {max_wanted}".format(**locals()), obj=conf.settings, )) - if conf.settings.SESSION_COOKIE_AGE > 60 * 60 * 24: # >24h is too much even with SESSION_EXPIRE_AT_BROWSER_CLOSE - errors.append(Error( - "SESSION_COOKIE_AGE is too high. This means users can stay logged in longer than their accounts are active.", + if not conf.settings.SESSION_EXPIRE_AT_BROWSER_CLOSE: + errors.append(Warning( + "Recommended value for SESSION_EXPIRE_AT_BROWSER_CLOSE = True", obj=conf.settings, )) return errors