This URL is used when user access the authentication domain without providing
the 'redirect' query parameter. In that case, Authelia does not know
where to redirect the user.
If the parameter is defined, Authelia can redirect the user to a default page
when no redirect parameter is provided.
When user is already authenticated and tries to access the authentication
domain, the "already logged in" page is rendered and it now tells the user he
is to be redirected in few seconds and uses this URL to redirect.
This parameter is optional. If it is not provided, there is only a notification
message at the end of the authentication process, as before, and the user is
not redirected when visiting the authentication domain while already
authenticated.
This timeout will prevent an attacker from using a session that has been
inactive for too long.
This inactivity timeout combined with the timeout before expiration makes a
good combination of security mechanisms to prevent session theft.
If no activity timeout is provided, then the feature is disabled and only
session expiration remains as a protection.
The notification message pops up and hide after few seconds.
Sometimes, chrome drivers tries to click on a button that moves due
to the notification message animation and thus miss it.
ACLs can now be defined by subdomain AND resource using pattern matching
with regular expressions.
It allows a very fine-grained access control to backend resources.
[Note] For using example environmnent, user must update its /etc/hosts with
new subdomains updated in README.
Before this fix, the application was simply crashing during execution
when connection to redis was failing.
Now, it is correctly handled with failing promises and logs have been
enabled to clearly see the problem
Before this fix, the redirection URL was stored in the user session,
but this has a big drawback since user could open several pages in
browser and thus override the redirection URL leading the user to
be incorrectly redirected.
Clement Michaud