UAC Directives
The following directives configure User Access Control (UAC).
uac_user_limit
| Description | Maximum number of users |
| Syntax | uac_user_limit max |
| Context | global |
| Default | 0 |
The maximum number of users that can access RealityServer at a time. If set to 0 (or not given) then unlimited users may access.
uac_session_timeout
| Description | UAC session timeout |
| Syntax | uac_session_timeout seconds |
| Context | global |
| Default | 600 |
To prevent denial of service UAC sessions will expire after a period of time. If a session is not accessed in uac_session_timeout seconds then it is deleted and the session slot made available to other potential users.
uac_auto_session
| Description | UAC automatic session allocation |
| Syntax | uac_auto_session on|off |
| Context | global |
| Default | on |
By default RealityServer automatically allocates a session to a user if they access a UAC controlled url without a session cookie set. This behaviour can be disabled by setting uac_auto_session to off. In this case, users have to explicitly request a session id via the /uac/create/ url to obtain a session before accessing UAC controlled urls.
uac_session_cookie
| Description | UAC session cookie name |
| Syntax | uac_session_cookie cookie_name |
| Context | global |
| Default | rs-uac-sid |
UAC is implemented via session cookies. When a user is granted access a session cookie is set containing the generated session id. The name of the cookie set can be controlled via the uac_session_cookie directive.
uac_session_cookie_domain
| Description | UAC session cookie domain |
| Syntax | uac_session_cookie_domain domain |
| Context | global |
| Default | None |
By default UAC session cookies do not set a 'Domain' attribute. This makes the cookies only applicable to the exact domain that the request was made from. By using the uac_session_cookie_domain directive the 'Domain' attribute of the cookie is set to the provided domain
uac_management_base_url
| Description | UAC session management url |
| Syntax | uac_management_base_url url |
| Context | global |
| Default | /uac/ |
RealityServer provides UAC management via the uac_management_base_url url. Users can create and destroy sessions as well as associate scopes with a session by accessing commands on the url. The url used for this can be changed by setting this directive.
uac_same_site
| Description | Value for the SameSite cookie attribute |
| Syntax | uac_same_site none|lax|strict |
| Context | global |
| Default | By default no SameSite attribute is set |
Starting from Chrome 80 web browsers are beginning to enforce the IETF "Incrementally Better Cookies" proposal. This will affect UAC when the URL of the site hosting the application is not the same as the URL used to access RealityServer. Setting uac_same_site adds the given SameSite attribute to all UAC cookies to allow this to be controlled. Typically this would be set to none to allow the UAC cookies to be sent with RealityServer requests.
By default no SameSite attribute is set so web browser default behaviour will apply.
Note that when set to none then uac_secure is automatically enabled to ensure compliance with the proposal. If this behaviour is not desired then uac_secure should be explictly disabled. Although currently there is no use case for this behaviour.
uac_secure
| Description | UAC Secure cookie attribute |
| Syntax | uac_secure on|off |
| Context | global |
| Default | on if uac_same_site is none, otherwise off |
If enabled adds the Secure attribute to all UAC cookies.