Cloudron Forum

Are there any plans to add SSO session timeout / inactivity timeout to Cloudron? I am finding that when I configure timeout (e.g. when browser is closed) within apps that are using Cloudron's SSO, the SSO is still keeping the user logged in. Many businesses require sessions to expire after inactivity or browser closure for security audits. If a user forgets to log out on a shared machine, a "timeout on close" or "idle timeout" is the only line of defense. Most professional SSO providers (like Okta or Auth0) allow admins to set a "Max Session Age" or "Inactivity Timeout" at the platform level.

[image: 1772909444682-screenshot-2026-03-07-at-18.50.13.png]

@luckow said: Installing App to diffy.example.org ... Image: tcmbp132021/cloudron-dify:latest ✘ Installation failed: No such route [I assume diffy.example.org is just obfuscation for the forum. ] Compared to this : Installing App to jumble.xapps.uk... Image: tcmbp132021/cloudron-dify:latest Installation Started! (This may take a few minutes) I think this suggests / confirms network issue. Try again, maybe ? The first part of the sequence (the script) runs in seconds, so re-trying is do-able. The second part (the cloudron install) takes few minutes because of image size. Are you running the install on your desktop/laptop ? Or on your Cloudron instance ? Either way, I suspect temporary network failure connecting to hub.docker.com Edit : I would do some standard network diagnostics. % ping hub.docker.com PING hub.docker.com.cdn.cloudflare.net (104.18.43.187): 56 data bytes 64 bytes from 104.18.43.187: icmp_seq=0 ttl=58 time=11.143 ms 64 bytes from 104.18.43.187: icmp_seq=1 ttl=58 time=11.543 ms 64 bytes from 104.18.43.187: icmp_seq=2 ttl=58 time=10.148 ms ^C --- hub.docker.com.cdn.cloudflare.net ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 10.148/10.945/11.543/0.587 ms Hmmm, possibly a Cloudflare issue ?

@imc67 one app instance (4y old) +------+----------+ | hour | sessions | +------+----------+ | 0 | 2 | | 2 | 1 | | 7 | 2 | | 8 | 1 | | 9 | 1 | | 13 | 3 | | 15 | 1 | | 17 | 3 | | 19 | 1 | | 20 | 3 | | 21 | 4 | | 22 | 1 | +------+----------+ different app instance (7y old) +------+----------+ | hour | sessions | +------+----------+ | 3 | 1 | | 5 | 2 | | 15 | 4 | | 18 | 2 | | 19 | 2 | | 20 | 2 | | 21 | 4 | | 22 | 2 | +------+----------+ health check is every 10 sec. Mar 07 18:00:50 - - - [07/Mar/2026:17:00:50 +0000] "GET / HTTP/1.1" 302 - "-" "Mozilla (CloudronHealth)" Mar 07 18:00:50 172.18.0.1 - - [07/Mar/2026:17:00:50 +0000] "GET / HTTP/1.1" 302 299 "-" "Mozilla (CloudronHealth)" Mar 07 18:01:00 - - - [07/Mar/2026:17:01:00 +0000] "GET / HTTP/1.1" 302 - "-" "Mozilla (CloudronHealth)" Mar 07 18:01:00 172.18.0.1 - - [07/Mar/2026:17:01:00 +0000] "GET / HTTP/1.1" 302 299 "-" "Mozilla (CloudronHealth)" Mar 07 18:01:10 - - - [07/Mar/2026:17:01:10 +0000] "GET / HTTP/1.1" 302 - "-" "Mozilla (CloudronHealth)" Mar 07 18:01:10 172.18.0.1 - - [07/Mar/2026:17:01:10 +0000] "GET / HTTP/1.1" 302 299 "-" "Mozilla (CloudronHealth)" Mar 07 18:01:20 - - - [07/Mar/2026:17:01:20 +0000] "GET / HTTP/1.1" 302 - "-" "Mozilla (CloudronHealth)" Mar 07 18:01:20 172.18.0.1 - - [07/Mar/2026:17:01:20 +0000] "GET / HTTP/1.1" 302 299 "-" "Mozilla (CloudronHealth)" Mar 07 18:01:30 - - - [07/Mar/2026:17:01:30 +0000] "GET / HTTP/1.1" 302 - "-" "Mozilla (CloudronHealth)" Mar 07 18:01:30 172.18.0.1 - - [07/Mar/2026:17:01:30 +0000] "GET / HTTP/1.1" 302 299 "-" "Mozilla (CloudronHealth)"

Hello @bitbound I would like to verify that https://github.com/bitbound is really you so I can add you to the @validated-app-maintainer group. Unfortunately the GitHub profile has no public mail visible which I could have used for cross-reference with the mail used here in the forum. Some commits are signed with the GPG key B5690EEEBB952194 but the profile also has no GPG key information https://github.com/bitbound.gpg. So I also can't send a signed mail for verfication.

@SansGuidon said: ALLOW_IANA_RESTRICTED_ADDRESSES=true You need to put an export in front of that. It needs to be: export ALLOW_IANA_RESTRICTED_ADDRESSES=true

@jdaviescoates yes, exactly what I meant

@robi great find! will give it a try.

@girish nextcloud federates, too.

Looks great! +1 for this app

OK upgrade wow that looks like it work with me crying do I try to do the domain move now take a snap be for I start just to make sure or do I upgrade to Ubuntu 24.04 1st Nozy

@humptydumpty This is a big problem. I was shocked to see that as of 2026, only 4 out of 50 states had passed the "right to repair". But if Chinese AI companies can used "distillation" to create new AI models, then perhaps the same approach could be used to create a digital twin of a tractor and then replace proprietary software with open source software.

Maybe I am slow on the uptake, but I have only just realised the impact which AGENT.md and SOUL.md have on the behaviour of the bot. Well, I knew it in theory, but I did not do "2+2". Significant customisation possible, and because those files (and others) are deployed to /app/data/.nanobot/workspace, they are easily edited w/o container rebuild or app restart (just a runtime /app/data/restart-gateway). For my needs I have removed the puff and padding from responses, and just get the answer. In theory, the base personality in AGENT.md/SOUL.md can be overridden in a particular SKILL.md, but I have not yet played with that. I was initially "overwhelmed" by creating a skill, I think the docs and the available examples are pretty poor (IMHO), but now I have realised the scope of what is possible. Especially getting an agent to write the skill ! If you have not tried Nanobot, it's a functional lightweight bloat-free app with great potential. Might well be my first Community App once 9.1.x is stable.