3060 active user session

[raftmsohani]

Summary of Changes

Pull request closes #3060 _

How to Test

List the steps to test the PR
These steps are generic, please adjust as necessary.

cd tdrs-frontend && docker-compose -f docker-compose.yml -f docker-compose.local.yml up -d
cd tdrs-backend && docker-compose -f docker-compose.yml -f docker-compose.local.yml up -d 

1. Open http://localhost:3000/ and sign in.
2. The timeout is set 10 seconds, as long as you browse different pages, you will be considered active.

Deliverables

More details on how deliverables herein are assessed included here.

Deliverable 1: Accepted Features

Checklist of ACs:

• A user session persists while the user is actively using the system
• the session ends when the browser is closed
• the session ends if the user is inactive for 15-30 minutes (see above)

• lfrohlich and/or adpennington confirmed that ACs are met.

Deliverable 2: Tested Code

• Are all areas of code introduced in this PR meaningfully tested?
  • If this PR introduces backend code changes, are they meaningfully tested?
  • If this PR introduces frontend code changes, are they meaningfully tested?
• Are code coverage minimums met?
  • Frontend coverage: [insert coverage %] (see CodeCov Report comment in PR)
  • Backend coverage: [insert coverage %] (see CodeCov Report comment in PR)

Deliverable 3: Properly Styled Code

• Are backend code style checks passing on CircleCI?
• Are frontend code style checks passing on CircleCI?
• Are code maintainability principles being followed?

Deliverable 4: Accessible

• Does this PR complete the epic?
• Are links included to any other gov-approved PRs associated with epic?
• Does PR include documentation for Raft's a11y review?
• Did automated and manual testing with iamjolly and ttran-hub using Accessibility Insights reveal any errors introduced in this PR?

Deliverable 5: Deployed

• Was the code successfully deployed via automated CircleCI process to development on Cloud.gov?

Deliverable 6: Documented

• Does this PR provide background for why coding decisions were made?
• If this PR introduces backend code, is that code easy to understand and sufficiently documented, both inline and overall?
• If this PR introduces frontend code, is that code easy to understand and sufficiently documented, both inline and overall?
• If this PR introduces dependencies, are their licenses documented?
• Can reviewer explain and take ownership of these elements presented in this code review?

Deliverable 7: Secure

• Does the OWASP Scan pass on CircleCI?
• Do manual code review and manual testing detect any new security issues?
• If new issues detected, is investigation and/or remediation plan documented?

Deliverable 8: User Research

Research product(s) clearly articulate(s):

• the purpose of the research
• methods used to conduct the research
• who participated in the research
• what was tested and how
• impact of research on TDP
• (if applicable) final design mockups produced for TDP development

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 92.66%. Comparing base (3ed27eb) to head (1e01d38).
Report is 2 commits behind head on develop.

Additional details and impacted files

@@           Coverage Diff            @@
##           develop    #3182   +/-   ##
========================================
  Coverage    92.66%   92.66%           
========================================
  Files           47       47           
  Lines         1009     1009           
  Branches       169      169           
========================================
  Hits           935      935           
  Misses          42       42           
  Partials        32       32           

Flag	Coverage Δ
dev-frontend	92.66% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ccb07cc...1e01d38. Read the comment docs.

[raftmsohani]

backend is using django.contrib.session, which enables db backend session manager. However, we also enable cookie session enabled by SESSION_ENGINE = "django.contrib.sessions.backends.signed_cookies" which in turn happens to only respect default SESSION_COOKIE_AGE and not updated session timeout

[raftmsohani]

We are using signed-cookies to keep the session information, which is using SessionBase.
With every new request, the session timestamp is updated by signing a new session using signing package.

[raftmsohani]

For testing only: revert back to previous setting

[raftmsohani]

Unrelated to this PR but I saw this is commented and not deleted

[ADPennington]

@raftmsohani is this set to expire 24 hours from the initial session? if so, i wonder if it would be better to shorten this to 12 hours, which is on the very high end of an average work day. i'm also reaching out to our security officer about this.

[ADPennington]

evidence below suggests expiry 24 hours into future. left side is staging (current state) and right side is qasp (this branch)

[ADPennington]

@raftmsohani TDP's ISSO's feedback:

• this change is related to AC-2-5. We'll need to update this documentation as part of this work to capture how the session refresh/expiration works for ACF users.
• let's also reduce the expiration to 12 hours
• we'll likely need to also complete risk-based decision documentation when the security team provides it.

[raftmsohani]

@ADPennington we shouldn't need to update the AC-2-5, since we are still following same time out concept. In fact, this PR makes sure we are exactly following this time out setting.
The only difference is: with new changes, even if the user is active, system will log the user out after 12hrs

[ADPennington]

confirming that the AC-2-5 seems aligned with the behavior in this PR, particularly this part: If the user chooses to extend the session, TDP will refresh the session.

[ADPennington]

feedback included in comments.

[ADPennington]

@raftmsohani can confirm that I received the warning for inactivity while logged in via AMS. im gonna wait another 30 minutes, because Im trying to understand the relationship between cookie_age and cookie_expires. max age set to 30 minutes when looking at devtools.

[ADPennington]

🚀 thanks @raftmsohani