-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Session Timeout? #1943
Comments
This can probably be handled via beaker configuration. Investigate and document if necessary. |
tl;dr: How long should sessions last? As far as I can see authentication doesn't use beaker. The authentication session is handled by Repoze.who with an authentication ticket object stored as the value of a With this version of Repoze.who (1.0.19), it's not possible to set max_age for the cookie (at least, not easily), but we can set the timeout value, which effectively achieves the same thing. So, how long should a session last? |
Can set the session timeout and reissue_time from the config file if these aren't provided by who.ini. New config settings: who.timeout who.reissue_time
This provides too fine-grained control for most users. So leaving it out of the template (though leaving use of the setting in the code).
Can set the session timeout and reissue_time from the config file if these aren't provided by who.ini. New config settings: who.timeout who.reissue_time
This provides too fine-grained control for most users. So leaving it out of the template (though leaving use of the setting in the code).
All config should be centralized to the .ini files.
Pondering the idea of something to automatically handle session time outs —
The CKAN application does not appear to have any form of session expiry in place. Session expiry is important to ensure that unauthorised use of the application is not possible in situations such as a user forgetting to shut down their browser or leaving their workstation unattended for extended periods.
Suggested fix
Functionality needs to be developed, or enabled if it is already present, to expire a user’s session on the server side, in effect logging them out of the application after a predefined interval of inactivity.
— is this an issue, per se, or something that's more of a social issue (aka lock your workstation when you leave)?
(origin: pentest)
The text was updated successfully, but these errors were encountered: