Qlik Data Warehouse Automation is deployed with Windows authentication. User sessions are not timed out in the Console or Web UI interfaces when the browser is left open and the user is idle for a longer time.
Environment
- Qlik Replicate, All versions
- Qlik Compose, All versions
- Qlik Enterprise Manager, All versions
Cause
Windows authentication token remains valid as long as the user is logged into Windows. Consequently, the user’s authentication is also valid in the browser as long as a browser window remains open.
When using Windows authentication, the Qlik user session remains open as long as the Qlik interface remains open in the browser.
There is no specific user session timeout configuration when applying Windows authentication.
Session timeout is not considered a security mechanism in this context, since any user with access to the Windows session can also access Qlik DW Automation through a browser within the Windows session.
Mitigation
General security in the Qlik Data Warehouse Automation deployment should be hardened and applied as referred to in Qlik Help, as references below. These mitigate common vulnerability risks, for example man-in-the-middle attacks and session hijacking, so the open user session does not pose a security risk.
Common IT security policies, like automatic Windows desktop screen-lock when the user is inactive, may also further secure the deployment and mitigate vulnerability risk.
If a specific user session termination is required, form authentication can be enabled in Qlik Enterprise Manager. This means that the existing Windows authentication token is not assumed for the session, instead, the user needs to enter user credentials at the start of a user session. In this mode, the session will timeout after 5 min idle time.
Another option can be to implement SSO through SAML, where the session will terminate when the SAML token expires.
There is no increased risk of resource constraint on the server side due to extended user session length since Qlik Data Warehouse Automation is commonly accessed by a limited user base and not the entire business. It is recommended to use Qlik Enterprise Manager for monitoring Qlik Data Warehouse automation.
Related Documentation
