Skip to content

Sessions and Cookies

The Clarive user session IDs are stored in cookies in the browser.

There are several options available in the Clarive Web server to configure how the server manages user sessions.

To overwrite the default values, go to your config file CLARIVE_BASE/[config].yml and add or modify the desired keys using the following YAML structure (watch out for the indentation):

baseliner:
    'Plugin::Session':
        expires: 2592000     # One month
        cookie_name: clarive-session
        cookie_secure: 0     # 1 = session only available in HTTPs servers
        cookie_samesite: 0   # 0, "Lax" or "Strict"

All changes in the .yml file requires restarting the Clarive Web server.

Changing this value will alter the name of the cookie that is sent to users. Changing this name will log every user out and require them to login back.

expires

Sets the number of seconds until a session expires, same as the bare variable session_expires.

By default this value is set to 1 month in length. Setting to, ie 3600 will logout users after 1 hour of inactivity.

Note

If you just want to configure the expires value and nothing else use the session_expires bare value in the config.

Set this value to 1 to only allow users to log in using HTTPs.

After changing this value (and restarting the server) users accessing the Clarive server through http://... URLs are not going to be able to login to Clarive anymore unless they use a HTTPs connection (https://...).

Current logged in users will be logged out after the server restarts.

Configure your front-end server first

We recommend that first and foremost, before you activate this cookie to force your users to connect through HTTPs, make the pertinent changes in your front-end web server (ie. Nginx). Only use this config parameter if you don't have access or control over your front-end and wish to be sure that users only log in through secure HTTPs connections, or as a second measure after the front-end has been configured to divert HTTP traffic through HTTPs.

Set this value to either Strict or Lax to set the cookie SameSite flag.

SameSite helps prevent CSRF (Cross-site request forgery) attacks by limiting your Clarive session cookie to be sent only when accessed from an open Clarive session.

  • Lax - this is the recommmended value, as it prevents session cookies to be sent to sites requesting resources but allows users to be redirected to your Clarive web interface through links without having to log in again. This is becoming a standard and the default in some browsers.

  • Strict - this flag value will require users to re-login to the Clarive web server when clicking on any link that redirects to the Clarive web server. It can be annoying for users to have to enter their credentials everytime, but it results in a more secure installation.

  • None - this flag will explicitly disable all SameSite security. This is not recommended right now, but as browsers start to implement SameSite by default, which may result in annoyances for your users, you may want to set it to None to tell browsers (such as Chrome 76) to allow your Clarive session cookie to be sent across sites.

  • 0 (default) - the value zero prevents the SameSite flag to be sent by the Clarive web server.

Note

The SameSite cookie configuration is a new standard introduced in 2017 and some browsers may not honor it. Check your browser version to make sure the SameSite flags are supported.

Single Sign-on

If you have a single sign-on configuration with Clarive then some of the cookie configuration options could interfere with your single sign-on scheme, so make sure to test it before changing any values on production Clarive systems.

Session duration & "Remember me"

Clarive allows both Session cookies and Expiration cookies that hold the current session ID for a user in the browser.

Expiration cookies are cookies that will expire after the time set by the administrator in the config file, under the session_expires entry or Baseliner/Plugin::Session/expires general settings.

session_expires: 2592000  # seconds = one month

Session cookies are cookies that are deleted by the browser when the user logs out. Starting at Clarive version 7.10.5 that's the default cookie Clarive will create, unless the user ticks the "Remember me" checkbox in the login form.

Users can decide when logging in if they prefer a session cookie (by ticking the "Remember me" checkbox) or a cookie with the global expiration set by the administrator.

The administrator can limit the user options during login by setting the session_duration_mode config option.

  • session_token: session_cookie - only session cookies (that are deleted by the browser) are allowed
  • session_token: expire_cookie - only expiry cookies are allowed
  • session_token: cookie (default) - the user may use the "Remember me" checkbox to set the their preferred cookie expiration mode.

Set the expiration value regardless

Regardless of session token modes, set the session_expires to a positive integer value that is greater than 0 (>0). If set to zero, users logging in will be logged out immediately. If no value is set, the internal default of 1 month will be used.

Limiting user sessions to 1 per user

Limiting a user session means that a single user id cannot be used simultaneously in different browsers or browser sessions.

Starting with Clarive 7.6.1.4, Clarive can limit user sessions to 1 per user per IP address. This means a user can login into Clarive from many browser sessions from the same IP address, which typically corresponds to a single computer (but can vary if users share a proxy or a VPN connection).

# multiple is the default mode:
user_session_mode: multiple # allowed: 'multiple', 'ip' or 'unique'

To limit user sessions to 1 per user instead of 1 per IP, add the following line to your [config].yml file:

user_session_mode: unique

This mode is very restrictive and will make users have to relogin very often.

One session per IP address

The ip session mode limits users sessions by IP address. This means a user can login many times from a single IP, but if they open Clarive sessions from different IP addresses (ie, another computer or network) Clarive will require the user to relogin.

user_session_mode: ip

There's one limitation: Clarive cannot match IPv4 to IPv6 addresses, so the user can actually have up to two sessions, one from a single IPv4 address and another from a single IPv6 address. This is actually a rare situation, but could be the case for certain software, OS or network/router configurations.

Unlimited sessions

To lift the session limit for all users, rollbacking to the default behavior before Clarive 7.6.1.4:

user_session_mode: multiple

This allows a user to have unlimited sessions open from many locations, IPs or browsers.