Docker Community Forums

Share and learn in the Docker community.

Cookie Expiration for NIST 800-63-2 Environments


(Evan Montgomery-Recht) #1

Is there a way to adjust Cookie expiration in UCP (and DTR)? I work in a environment where we must meet NIST 800-63-2 Level 3 Requirements.

(NIST 800-63-2 - 9.3.2.3) Also, at Level 3, single-domain assertions (e.g., Web browser cookies) shall expire if they are not used within 30 minutes. Cross-domain assertions shall expire if not used within 5 minutes.

I’ve noticed that I can come back hours later and still have valid cookies for login. (I think a similar issue exists in DTR.) (Note there are also some SSO requirements later in that section, however since we’ll be using Certs for initial authentication, this would not be applicable. Unless there are plans to support some type of Federated Authentication provider (e.g. AD FS).)