Merge pull request #15823 from rabbitmq/mergify/bp/v4.3.x/pr-15814

michaelklishin · web-flow · commit 9134d0e4133f · 2026-03-24T18:09:45.000-07:00
rabbitmq_management: Fix preference cookie expiry to respect session timeout (backport #15814)
diff --git a/deps/rabbitmq_management/priv/www/js/prefs.js b/deps/rabbitmq_management/priv/www/js/prefs.js
@@ -235,8 +235,14 @@ function parse_cookie() {
 }
 
 function store_cookie(dict) {
-    var date = new Date();
-    date.setFullYear(date.getFullYear() + 1);
+    var sessionTimeout = dict[short_key(LOGIN_SESSION_TIMEOUT)];
+    var date;
+    if (sessionTimeout != undefined) {
+        date = new Date();
+        date.setMinutes(date.getMinutes() + parseInt(sessionTimeout, 10));
+    } else {
+        date = default_hard_session_timeout();
+    }
     store_cookie_with_expiration(dict, date);
 }
 
diff --git a/deps/rabbitmq_management/priv/www/js/tmpl/overview.ejs b/deps/rabbitmq_management/priv/www/js/tmpl/overview.ejs
@@ -32,7 +32,7 @@
 <% }}} %>
 </div>
 
-<div class="section">
+<div class="section" id="totals-section">
 <h2>Totals</h2>
 <div  class="hider updatable">
 <% if(!disable_stats) { %>
diff --git a/selenium/test/basic-auth/session-expired-with-no-refresh.js b/selenium/test/basic-auth/session-expired-with-no-refresh.js
@@ -0,0 +1,38 @@
+const { By, Key, until, Builder } = require('selenium-webdriver')
+require('chromedriver')
+const assert = require('assert')
+const { buildDriver, goToHome, captureScreensFor, teardown, delay } = require('../utils')
+
+const LoginPage = require('../pageobjects/LoginPage')
+const OverviewPage = require('../pageobjects/OverviewPage')
+
+describe('Once user is logged in and no refresh is configured', function () {
+  let driver
+  let login
+  let overview
+  let captureScreen
+  this.timeout(65000)
+
+  before(async function () {
+    driver = buildDriver()
+    await goToHome(driver)
+    login = new LoginPage(driver)
+    overview = new OverviewPage(driver)
+    captureScreen = captureScreensFor(driver, __filename)
+    await login.login('guest', 'guest')
+    await overview.isLoaded()
+    await overview.selectRefreshOption("Do not refresh")
+    // Trigger a UI preference change to verify it does not extend the session.
+    await overview.ensureTotalsSectionIsInvisible()
+  })
+
+  it('any authorized request after the session has expired should log the user out', async function () {
+    await delay(60000)
+    await overview.clickOnConnectionsTab()
+    await login.isLoaded()
+  })
+
+  after(async function () {
+    await teardown(driver, this, captureScreen)
+  })
+})
diff --git a/selenium/test/basic-auth/session-expired.js b/selenium/test/basic-auth/session-expired.js
@@ -20,15 +20,15 @@ describe('Once user is logged in', function () {
     captureScreen = captureScreensFor(driver, __filename)
     await login.login('guest', 'guest')
     await overview.isLoaded()
-
+    // Trigger a UI preference change to verify it does not extend the session.
+    await overview.ensureTotalsSectionIsInvisible()
   })
 
   it('it has to login after the session expires', async function () {
-    
     await delay(60000)
-    await login.isLoaded() 
+    await login.isLoaded()
     await login.login('guest', 'guest')
-    await overview.isLoaded() 
+    await overview.isLoaded()
     await overview.clickOnConnectionsTab() // and we can still interact with the ui
   })
 
diff --git a/selenium/test/pageobjects/BasePage.js b/selenium/test/pageobjects/BasePage.js
@@ -33,10 +33,20 @@ module.exports = class BasePage {
     this.polling = parseInt(process.env.SELENIUM_POLLING) || 500 // how frequent selenium searches for an element
     this.interactionDelay = parseInt(process.env.SELENIUM_INTERACTION_DELAY) || 0 // slow down interactions (when rabbit is behind a http proxy)
   }
+
   async ensureSectionIsVisible(section) {
     let classes = await this.driver.findElement(section).getAttribute("class")
     if (classes.search('section-visible') < 0) {
-      return this.click(section)
+      return this.click(By.css(section.value + ' h2'))
+    } else {
+      return Promise.resolve(true)
+    }
+  }
+
+  async ensureSectionIsInvisible(section) {
+    let classes = await this.driver.findElement(section).getAttribute("class")
+    if (classes.search('section-invisible') < 0) {
+      return this.click(By.css(section.value + ' h2'))
     } else {
       return Promise.resolve(true)
     }
diff --git a/selenium/test/pageobjects/OverviewPage.js b/selenium/test/pageobjects/OverviewPage.js
@@ -12,6 +12,8 @@ const DOWNLOAD_DEFINITIONS_SECTION = By.css('div#download-definitions-section')
 const CHOOSE_BROKER_DOWNLOAD_FILE = By.css('input#download-filename')
 const DOWNLOAD_BROKER_FILE = By.css('button#upload-definitions')
 
+const TOTALS_SECTION = By.css('div#main div#totals-section')
+
 module.exports = class OverviewPage extends BasePage {
 
   async uploadBrokerDefinitions(file) {
@@ -27,4 +29,12 @@ module.exports = class OverviewPage extends BasePage {
   async downloadBrokerDefinitions(filename) {
     return this.click(DOWNLOAD_DEFINITIONS_SECTION)
   }
+
+  async ensureTotalsSectionIsVisible() {
+    return this.ensureSectionIsVisible(TOTALS_SECTION)
+  }
+
+  async ensureTotalsSectionIsInvisible() {
+    return this.ensureSectionIsInvisible(TOTALS_SECTION)
+  }
 }
