Test out the impact of a shorter inactivity timeout value on edx STAGE env

[jristau1984]

cybersec wants to drop the inactivity timeout down to 24h... can we test that our inactivity flag works in STAGE env?

ultimately, i want to find out what impacts it has... does it erase unsaved ORA submissions or break proctored exam sessions, etc... testing a short timeout in stage would hopefully allow us to do that

A/C

• Set short session inactivity timeout in stage (80 minutes)
• Let Jeremy know when this is done (he'll handle comms to other teams)

Notes

• JWTs last an hour, and the session should last more than the JWT. This should be accounted for in the stage testing, by either adjusting the JWT to 15 min, or adjusting the session to longer than an hour.
• Mobile has a different timeout framework. Be sure to consider it in this testing as well.
• Do we need to pause the pipeline and revert something like this, or is it controlled per environment?
  • There are remote-config settings for this, so changes can be made per environment and deployed without the gocd pipeline.

[timmc-edx]

@jristau1984 Is 80 minutes OK, or should we also try to reduce JWT timeouts further e.g. to 15 minutes so that session timeout can be faster? (We can reduce JWT timeouts, but there may be more realism in leaving them alone.)

[timmc-edx]

In parallel we should also be checking on whether this can be solved a different way -- are there actually hard requirements for this across the entire site, or can we just give some users a shorter timeout to meet a partner's requirements (if that's what's driving this).