Ensuring Secure Session Management in Datahub: Discussions on Cookie Clearance and Server-Side Authentication

Original Slack Thread

About session token,Datahub only clear cookie on browser side and not clear session on server side when click logout in ui. This lead we can still visit datahub api using a old session token. Do we have any way to make datahub server side session clearing?

Unfortunately not at this time. Tokens are currently JWTs that expire after a certain period of time. The only way to invalidate would be to change the secret that is used by datahub to encrypt tokens, so that old tokens have signature failures. We recommend setting a short enough auth token timeout to ensure that it is refreshed at an acceptable frequency for you!

If you have SSO setup, there’s no reason to not set a low frequeency for the datahub tokens