Mattermost, Inc.

Invalidate existing Sessions

Hi,

I’m using the Gitlab SSO and have the problem, that once the users are logged in, their session doesn’t invalidate for a long time. When I disable the LDAP account which Gitlab uses to authenticate users, the user still can use Mattermost until someone disables the user manually.

Is there a way to regularly force users to re-login, or otherwise make sure SSO sessions get validated more regularly?

thank!
best regards

Hello, @Catscrash

By default, there is a job that helps to clean the user’s session every 24 hours based on the documentation here:

User sessions are cleared when a user tries to log in. Additionally, a job runs every 24 hours to clear sessions from the sessions database table.

Since you mentioned that the disabled user was still able to log in, I would suspect that the synchronization has not kicked in yet as the default setting is configured to 60 minutes. So, you might want to consider adjusting that if needed.

Additionally, the default session length for SSO is set to 30 days based on the configuration in config.json:

ahmaddanial@mattermost:~$ cat /opt/mattermost/config/config.json | grep "SessionLengthSSOInDays"
        "SessionLengthSSOInDays": 30,

You can also reduce this number if needed to shorten the lifespan of the SSO sessions. Can you please give it a try and let me know how it goes on your end?