Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.xloud.tech/llms.txt

Use this file to discover all available pages before exploring further.

Overview

The Xloud Dashboard uses JWT (JSON Web Token) based session management. When a user logs in, the Dashboard obtains a Keystone authentication token and wraps it in a JWT stored as a browser cookie named session. No server-side session storage (Memcached, Redis, database) is required.
Prerequisites
  • Administrator access for session configuration changes
  • XDeploy access for applying configuration changes

How Sessions Work

Session Properties

PropertyDescriptionDefault
Cookie namesessionFixed
Token formatJWT containing Keystone tokenFixed
Session durationFollows Keystone token expirationTypically 1 hour
StorageClient-side (browser cookie)No server-side storage
RBAC cachePer-endpoint permission cache30 seconds TTL
Since sessions are stateless JWT tokens, the Dashboard can be horizontally scaled across multiple nodes behind a load balancer without shared session storage. Any node can validate any session.

Configuration

Session behavior is configured through the Skyline API server configuration:
1

Open Advanced Configuration

Navigate to XDeploy > Advanced Configuration and select skyline-apiserver in the service tree.
2

Edit session settings

In the skyline.yaml configuration file, the relevant settings are:
  • secret_key — JWT signing key (auto-generated during deployment)
  • session_name — Cookie name (default: session)
  • token_expiration — Inherited from Keystone token settings
Changing the secret_key invalidates all active sessions. Users will need to log in again after the change is applied.
3

Apply changes

Save the configuration and run Operations > Reconfigure to apply.

Security Considerations

Cookie security flags

Session duration is tied to the Keystone token expiration. When the token expires, the session cookie becomes invalid and the user is redirected to the login page. Configure Keystone token expiration through XDeploy to adjust session duration.
Since sessions are stateless (JWT in cookie), no shared session backend is needed. All Dashboard nodes behind HAProxy can validate any session independently using the shared secret_key configured during deployment.

Next Steps

Dashboard Admin Guide

Return to the admin guide overview

Identity Admin Guide

Configure token expiration and authentication backends

Deployment

Configure Dashboard settings through XDeploy

Security

Platform security hardening and compliance