Sessions and Cookies
There are several options available in the Clarive Web server to configure how the server manages user sessions.
To overwrite the default values, go to your config file
CLARIVE_BASE/[config].yml and add the desired keys using the following YAML
structure (watch out for the indentation):
baseliner: 'Plugin::Session': expires: 2592000 # One month cookie_name: clarive-session cookie_secure: 0 # 1 = session only available in HTTPs servers cookie_samesite: 0 # 0, "Lax" or "Strict"
All changes in the
.yml file requires restarting the Clarive Web server.
Changing this value will alter the name of the cookie that is sent to users. Changing this name will log every user out and require them to login back.
Sets the number of seconds until a session expires.
By default this value is set to 1 month in length. Setting to, ie
logout users after 1 hour of inactivity.
Set this value to
1 to only allow users to log in using HTTPs.
After changing this value (and restarting the server) users accessing the
Clarive server through
http://... URLs are not going to be able to login to
Clarive anymore unless they use a HTTPs connection (
Current logged in users will be logged out after the server restarts.
Configure your front-end server first
We recommend that first and foremost, before you activate this cookie to force your users to connect through HTTPs, make the pertinent changes in your front-end web server (ie. Nginx). Only use this config parameter if you don't have access or control over your front-end and wish to be sure that users only log in through secure HTTPs connections, or as a second measure after the front-end has been configured to divert HTTP traffic through HTTPs.
Set this value to either
Lax to set the cookie
SameSite helps prevent CSRF (Cross-site request forgery) attacks by limiting
your Clarive session cookie to be sent only when accessed from an open Clarive
Lax- this is the recommmended value, as it prevents session cookies to be sent to sites requesting resources but allows users to be redirected to your Clarive web interface through links without having to log in again. This is becoming a standard and the default in some browsers.
Strict- this flag value will require users to re-login to the Clarive web server when clicking on any link that redirects to the Clarive web server. It can be annoying for users to have to enter their credentials everytime, but it results in a more secure installation.
None- this flag will explicitly disable all
SameSitesecurity. This is not recommended right now, but as browsers start to implement
SameSiteby default, which may result in annoyances for your users, you may want to set it to
Noneto tell browsers (such as Chrome 76) to allow your Clarive session cookie to be sent across sites.
0(default) - the value zero prevents the
SameSiteflag to be sent by the Clarive web server.
SameSite cookie configuration is a new standard introduced
in 2017 and some browsers may not honor it. Check your browser version
to make sure the
SameSite flags are supported.
If you have a single sign-on configuration with Clarive then some of the cookie configuration options could interfere with your single sign-on scheme, so make sure to test it before changing any values on production Clarive systems.