Update session timeout to be 24 hours with activity extension

[robrap]

For CyberSecurity (and our users), we need to find a solution to update our production session timeout to 24 hours, allowing it to be extended with activity. This ticket will include some discovery.

Notes:

• In Update session inactivity timeout value to 24h in STAGE env #981, we learned that setting SESSION_COOKIE_AGE (not session inactivity) to 24 hours does in fact work.
  • However, it doesn't seem like activity extends the session.
• Using the Session Activity Middleware (name?) was tested earlier, but we are not confident in those test results, because we also thought that SESSION_COOKIE_AGE was not working, but we were wrong.
  • We could test this middleware and SESSION_INACTIVITY_TIMEOUT_IN_SECONDS in devstack, and if it works, try it out in Stage.
• Note: If SESSION_COOKIE_AGE is tuned to less than an in devstack, you would also have to tune the JWT cookie settings as well.
• [idea] Another possibility might be introducing a new setting that extends the session cookie on login_refresh calls from MFEs.
• See OEP-42: Authentication for more details on authentication and JWT cookies if needed.

[robrap]

Helpful resource:

• https://2u-internal.atlassian.net/wiki/spaces/ENG/pages/933822635/Working+with+the+Open+edX+project

[ttak-apphelix]

Info:
Need to create PR against below repo:

edx/edx-internal
edx/edge-internal

https://github.com/edx/edx-internal/blob/master/edx-remote-config/stage/lms.yml
https://github.com/edx/edx-internal/blob/master/argocd/applications/edxapp-lms/stage-config.yaml

[robrap]

And to clarify, edge-internal will only be needed once we push this to a Production environment. For now, we need to test in Stage.

[robrap]

Next steps:

• Test in Stage.
• Work with Product or Jeremy to decide rollout and communication plan.
• Once test confirmed in stage, change in edge-internal and test.
• Once test confirmed in edge, change prod in edx-internal and test.