What I’m trying to do:
- Give user access to my cloudflare applications (ssh and vnc) at a specific time.
- Stop the user sessions when a fixed period of time elapses (pre-decided before step1)
- Do all of this via API so that it can be automated.
- Once this user loses access, I don’t want them to occupy a seat
My reference: session management guide
What I’ve tried:
Step1 - When I receive a request from a user (at time T), I send an API call to CF to add an allow policy for that user’s email. Default ‘application_session_duration’, ‘policy_session_duration’, and ‘global_session_duration’ are all rightly set to X hours.
Step2 - When it’s time=T+X, I send out an API call to CF to add a deny policy for the same user email.
What is happening:
- Step 1 works perfectly. The user is able to authenticate and use the application.
- But the process of revoking access or ending the session does not really happen. I’ve tried this approach and even 10 minutes after time T+X I was able to normally access the application.
- I tried manually testing the policies, what happens is that both the ‘allow’ and ‘deny’ policies are now active, however the allow policy being older in time overrides the newer deny policy and the user can still access.