Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent users from entering large session lifetimes #411

Closed
kikmedia opened this issue Mar 28, 2019 · 4 comments
Closed

Prevent users from entering large session lifetimes #411

kikmedia opened this issue Mar 28, 2019 · 4 comments
Assignees
@leofeyer
Labels
bug
Milestone
4.4

Comments

@kikmedia
Copy link

kikmedia commented Mar 28, 2019
edited

Affected version(s)
4.4.x, all (and probably all later versions including 4.7.)

Description
If an user enters a very long session lifetime in backend, he will furthermore not be able to log in again.
How to reproduce
Go to backend -> settings and enter a unusually large value für session expiration, for example 360000000000 seconds. Log out. Try to log in again.

IMO, this setting should only be able to accept reasonable values. Any session longer than a week (or a month, or a year) should not to be accepted if the value becomes too large.
@fritzmg
Copy link
Contributor

fritzmg commented Mar 28, 2019

May be it needs to be checked against PHP_INT_MAX?

@Paddy0174
Copy link

Should only affect 4.4.x, as the setting is no more present in 4.7. As I understand, right now in 4.7 it is no more existent in the BE, but so far not implemented in CM.
Do we already check these type of files (config) in any way, if they are manualy changed? Because checking the setting in the BE seems not enough for 4.7.x (because it doesn't have this setting).

@timgatzky
Copy link

May be a "maxval" or "maxlength" in the tl_session.sessionTimeout DCA eval would be a save but still flexible way.

@leofeyer leofeyer added the bug label Apr 8, 2019
@leofeyer leofeyer added this to the 4.4.37 milestone Apr 8, 2019
@leofeyer leofeyer removed the bug label Apr 8, 2019
@leofeyer leofeyer removed this from the 4.4.37 milestone Apr 8, 2019
@leofeyer leofeyer added up for discussion Issues and PRs which will be discussed in our monthly Mumble calls. bug and removed up for discussion Issues and PRs which will be discussed in our monthly Mumble calls. labels Apr 8, 2019
@leofeyer leofeyer modified the milestones: 4.4.38, 4.4.39 Apr 11, 2019
@leofeyer leofeyer self-assigned this Apr 25, 2019
leofeyer added a commit that referenced this issue Apr 25, 2019
@leofeyer
Limit the maximum length of the sessionTimeout input field (see #411)
432251d
@leofeyer
Copy link
Member

Fixed as discussed in Mumble in 432251d.

@leofeyer leofeyer modified the milestones: 4.4.39, 4.4 May 14, 2019
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 18, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@leofeyer leofeyer

Labels
bug
Projects
None yet
Milestone
4.4
Development

No branches or pull requests
5 participants
@timgatzky @kikmedia @leofeyer @Paddy0174 @fritzmg