Securing User Sessions

To secure users' sessions, you can configure session timeouts and multiple user login attempts.

Configuring Session Timeout

If you have deployed Management Center on an application server/container, you can configure the default session timeout period of the application server/container to change the session timeout period for the Management Center. If your server/container allows application specific configuration, you can use it to configure the session timeout period for the Management Center.

If you started Management Center from the command line, by default, the sessions that are inactive for 30 minutes are invalidated. To change this, you can use the hazelcast.mc.session.timeout.seconds property. For example, the following command starts Management Center with a session timeout period of 1 minute:

  • Linux and Mac

  • Windows

hz-mc start -Dhazelcast.mc.session.timeout.seconds=60
mc-start.cmd -Dhazelcast.mc.session.timeout.seconds=60
The timeout duration specified with the above property is effective only after the browser tab is closed or after the browser suspends the background activity of the webpage.

Disabling Multiple Simultaneous Login Attempts

By default, a user can log into an account in Management Center on multiple devices in different locations at the same time. To allow only one user to log into an account, start Management Center with the hazelcast.mc.allowMultipleLogin=false property.

Temporarily Disabling Logins

To prevent password guessing attacks, logging in is disabled for 5 seconds after 3 consecutive failed login attempts. If the failed attempts continue, the timeout is multiplied by 10 after each round of 3 consecutive failed login attempts. For example:

  1. You try to log in with your credentials consecutively 3 times but failed.

  2. Logging in is disabled and you have to wait for 5 seconds.

  3. After 5 seconds have passed, logging in is enabled.

  4. You try to log in with your credentials consecutively 3 times but again failed.

  5. Logging in is disabled again and this time you have to wait for 50 seconds until your next login attempt.

You can configure this behavior, using the following properties:

  • hazelcast.mc.failedAttemptsBeforeDisableLogin: Number of failed login attempts that cause the logging in to be temporarily disabled.

  • hazelcast.mc.initialDisableLoginPeriod: Initial duration for the disabled login period in seconds.

  • hazelcast.mc.disableLoginPeriodMultiplier: Multiplier used for extending the disabled login period in case the failed login attempts continue.

  • hazelcast.mc.maxDisableLoginPeriod: Maximum amount of time for the disabled login period.

Forcing Logout on Multiple Simultaneous Login Attempts

If you disabled multiple simultaneous login attempts, the first user to log in with a username stays logged in until that user explicitly logs out or the session expires. In the meantime, other users cannot log in with the same username. If you want to force user to log out and let the new users log in, start Management Center with the hazelcast.mc.forceLogoutOnMultipleLogin=true property.