Please find resolution and justification of identified issues.
Application session does not expire on closing the browser
- The session will be expired when all browsers included non-RA tab's are closed.
- Session at server end is configurable and the default value set to is 60 minutes, which can be changed as per needs. We observed in report that session restoration is made in 4 minutes, which resulted in session been active. In case if your need is to expire session after x-minutes please configured the same as instructed below, post which session at server end will be no more valid.
- Configuring Session Timeout:
- Open the file RA_HOME\webapps\datamanagement\WEB-INF\web.xml
- Search for the below line, as you can see default value is 60 (in minutes) the same can be changed to specific require value
Temporary account lock/suspension is not available on multiple invalid login attempts
- Save the file and restart the Release Automation Server Service.
RA doesn't have this feature implemented, but as per internal security review we don't consider it as a vulnerability. In case if this feature is something expected in product we will request to please engage in discussion with Product Management and posting this as Enhancement Request on our RA Global Community.