Re: [Dev] Let's increase default value for session timeout
On Fri, Mar 30, 2012 at 3:34 PM, Dimuthu Leelarathne dimut...@wso2.com wrote: Hi, I am - 0 for this. There are some negative effects of increasing session timeout. 1) Objects we keep in the session can grow. This will be multiplied by the number of users with active sessions 2) Security risk is marginally increase. I agree with Dimuthu. In default implementation we should ship products with maximum security. If needed users can change security levels by modifying config files. Thanks AmilaJ tx, dimuthu On Fri, Mar 30, 2012 at 3:26 PM, Amila Suriarachchi am...@wso2.com wrote: On Thu, Mar 29, 2012 at 3:21 PM, Tharindu Mathew thari...@wso2.com wrote: Hi, Let's do $subject. What we ship by default is a toy value good for running samples. When we are doing some lengthy work it will definitely timeout in the middle of work and this is really frustrating for users. It should at least be 30 mins IMO +1 thanks, Amila. -- Regards, Tharindu blog: http://mackiemathew.com/ M: +9459908 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- Amila Suriarachchi Software Architect WSO2 Inc. ; http://wso2.com lean . enterprise . middleware phone : +94 71 3082805 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- Dimuthu Leelarathne Technical Lead WSO2, Inc. (http://wso2.com) email: dimut...@wso2.com Lean . Enterprise . Middleware ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- Mobile : +94773330538 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Let's increase default value for session timeout
On Sun, Apr 1, 2012 at 9:26 PM, Amila Jayasekara ami...@wso2.com wrote: On Fri, Mar 30, 2012 at 3:34 PM, Dimuthu Leelarathne dimut...@wso2.com wrote: Hi, I am - 0 for this. There are some negative effects of increasing session timeout. 1) Objects we keep in the session can grow. This will be multiplied by the number of users with active sessions 2) Security risk is marginally increase. I agree with Dimuthu. In default implementation we should ship products with maximum security. If needed users can change security levels by modifying config files. I disagree. In default implementation we should ship products with maximum usability. If needed users can change security by modifying config files. Thanks AmilaJ tx, dimuthu On Fri, Mar 30, 2012 at 3:26 PM, Amila Suriarachchi am...@wso2.com wrote: On Thu, Mar 29, 2012 at 3:21 PM, Tharindu Mathew thari...@wso2.com wrote: Hi, Let's do $subject. What we ship by default is a toy value good for running samples. When we are doing some lengthy work it will definitely timeout in the middle of work and this is really frustrating for users. It should at least be 30 mins IMO +1 thanks, Amila. -- Regards, Tharindu blog: http://mackiemathew.com/ M: +9459908 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- Amila Suriarachchi Software Architect WSO2 Inc. ; http://wso2.com lean . enterprise . middleware phone : +94 71 3082805 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- Dimuthu Leelarathne Technical Lead WSO2, Inc. (http://wso2.com) email: dimut...@wso2.com Lean . Enterprise . Middleware ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- Mobile : +94773330538 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- Regards, Tharindu blog: http://mackiemathew.com/ M: +9459908 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Let's increase default value for session timeout
On Sun, Apr 1, 2012 at 11:51 PM, Tharindu Mathew thari...@wso2.com wrote: On Sun, Apr 1, 2012 at 9:26 PM, Amila Jayasekara ami...@wso2.com wrote: On Fri, Mar 30, 2012 at 3:34 PM, Dimuthu Leelarathne dimut...@wso2.com wrote: Hi, I am - 0 for this. There are some negative effects of increasing session timeout. 1) Objects we keep in the session can grow. This will be multiplied by the number of users with active sessions 2) Security risk is marginally increase. I agree with Dimuthu. In default implementation we should ship products with maximum security. If needed users can change security levels by modifying config files. I disagree. In default implementation we should ship products with maximum usability. If needed users can change security by modifying config files. Hi Tharindu, I was not comparing security and usability. Of course the product must be usable with maximum security. If we ship the product with medium/low security level, most probably, users will get to know that, they have to tweak some configurations in-order to achieve maximum security, only after facing an attack. Therefore it is better to ship default configurations with maximum available security. When I say maximum security it doesnt mean user is not allowed to login. User will get all available functionalities with maximum security. This is the norm followed by most of other software products. (Including Operating Systems, such as Windows) E.g :- Shipping product with support for only strong SSL ciphers. If a customer want to support for medium/low SSL cipher, he/she have to change configurations. But in default configuration, we should only support strong SSL ciphers, so that an attacker will be unable to carry out a brute force attack. For this particular scenario, one vulnerability I see is, some UN-authorized user gaining access to management console after keeping user's machine unlocked for some time. I am not quite sure about the correct value for the session time. But if we are increasing that value, we need to reason out the “new value” properly, based on real usage. Thanks AmilaJ Thanks AmilaJ tx, dimuthu On Fri, Mar 30, 2012 at 3:26 PM, Amila Suriarachchi am...@wso2.com wrote: On Thu, Mar 29, 2012 at 3:21 PM, Tharindu Mathew thari...@wso2.com wrote: Hi, Let's do $subject. What we ship by default is a toy value good for running samples. When we are doing some lengthy work it will definitely timeout in the middle of work and this is really frustrating for users. It should at least be 30 mins IMO +1 thanks, Amila. -- Regards, Tharindu blog: http://mackiemathew.com/ M: +9459908 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- Amila Suriarachchi Software Architect WSO2 Inc. ; http://wso2.com lean . enterprise . middleware phone : +94 71 3082805 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- Dimuthu Leelarathne Technical Lead WSO2, Inc. (http://wso2.com) email: dimut...@wso2.com Lean . Enterprise . Middleware ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- Mobile : +94773330538 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- Regards, Tharindu blog: http://mackiemathew.com/ M: +9459908 -- Mobile : +94773330538 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Let's increase default value for session timeout
Guys we also ship the product with admin/admin as the password. I'm willing to bet there are tons of production machines with this unchanged :(. If the security risk at hand is that someone will leave their machine unlocked and someone else can come in and access the admin console because the session didn't time out honestly for me that's a theoretical problem. Shouldn't the person have a screen saver + lock on their machine?? Any real admin would. I'm +1 for changing the default to 30 mins. The session growth scenario is real but again very unlikely for the console .. many people don't log in at once to a boring server console, even if its as hot as ours! Sanjiva. On Mon, Apr 2, 2012 at 1:18 AM, Amila Jayasekara ami...@wso2.com wrote: On Sun, Apr 1, 2012 at 11:51 PM, Tharindu Mathew thari...@wso2.com wrote: On Sun, Apr 1, 2012 at 9:26 PM, Amila Jayasekara ami...@wso2.com wrote: On Fri, Mar 30, 2012 at 3:34 PM, Dimuthu Leelarathne dimut...@wso2.com wrote: Hi, I am - 0 for this. There are some negative effects of increasing session timeout. 1) Objects we keep in the session can grow. This will be multiplied by the number of users with active sessions 2) Security risk is marginally increase. I agree with Dimuthu. In default implementation we should ship products with maximum security. If needed users can change security levels by modifying config files. I disagree. In default implementation we should ship products with maximum usability. If needed users can change security by modifying config files. Hi Tharindu, I was not comparing security and usability. Of course the product must be usable with maximum security. If we ship the product with medium/low security level, most probably, users will get to know that, they have to tweak some configurations in-order to achieve maximum security, only after facing an attack. Therefore it is better to ship default configurations with maximum available security. When I say maximum security it doesnt mean user is not allowed to login. User will get all available functionalities with maximum security. This is the norm followed by most of other software products. (Including Operating Systems, such as Windows) E.g :- Shipping product with support for only strong SSL ciphers. If a customer want to support for medium/low SSL cipher, he/she have to change configurations. But in default configuration, we should only support strong SSL ciphers, so that an attacker will be unable to carry out a brute force attack. For this particular scenario, one vulnerability I see is, some UN-authorized user gaining access to management console after keeping user's machine unlocked for some time. I am not quite sure about the correct value for the session time. But if we are increasing that value, we need to reason out the “new value” properly, based on real usage. Thanks AmilaJ Thanks AmilaJ tx, dimuthu On Fri, Mar 30, 2012 at 3:26 PM, Amila Suriarachchi am...@wso2.com wrote: On Thu, Mar 29, 2012 at 3:21 PM, Tharindu Mathew thari...@wso2.com wrote: Hi, Let's do $subject. What we ship by default is a toy value good for running samples. When we are doing some lengthy work it will definitely timeout in the middle of work and this is really frustrating for users. It should at least be 30 mins IMO +1 thanks, Amila. -- Regards, Tharindu blog: http://mackiemathew.com/ M: +9459908 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- Amila Suriarachchi Software Architect WSO2 Inc. ; http://wso2.com lean . enterprise . middleware phone : +94 71 3082805 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- Dimuthu Leelarathne Technical Lead WSO2, Inc. (http://wso2.com) email: dimut...@wso2.com Lean . Enterprise . Middleware ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- Mobile : +94773330538 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- Regards, Tharindu blog: http://mackiemathew.com/ M: +9459908 -- Mobile : +94773330538 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- Sanjiva Weerawarana, Ph.D. Founder, Chairman CEO; WSO2, Inc.; http://wso2.com/ email: sanj...@wso2.com; phone: +94 11 763 9614; cell: +94 77 787 6880 | +1 650 265 8311 blog: http://sanjiva.weerawarana.org/ Lean . Enterprise . Middleware
Re: [Dev] Let's increase default value for session timeout
Hi, I am - 0 for this. There are some negative effects of increasing session timeout. 1) Objects we keep in the session can grow. This will be multiplied by the number of users with active sessions 2) Security risk is marginally increase. tx, dimuthu On Fri, Mar 30, 2012 at 3:26 PM, Amila Suriarachchi am...@wso2.com wrote: On Thu, Mar 29, 2012 at 3:21 PM, Tharindu Mathew thari...@wso2.comwrote: Hi, Let's do $subject. What we ship by default is a toy value good for running samples. When we are doing some lengthy work it will definitely timeout in the middle of work and this is really frustrating for users. It should at least be 30 mins IMO +1 thanks, Amila. -- Regards, Tharindu blog: http://mackiemathew.com/ M: +9459908 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- *Amila Suriarachchi* Software Architect WSO2 Inc. ; http://wso2.com lean . enterprise . middleware phone : +94 71 3082805 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- Dimuthu Leelarathne Technical Lead WSO2, Inc. (http://wso2.com) email: dimut...@wso2.com Lean . Enterprise . Middleware ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Let's increase default value for session timeout
I think Admin Console is most of the time used when doing Demos. In such cases security is not a problem. For real production development it has to use Developer Studio. thanks, Amila. On Fri, Mar 30, 2012 at 3:34 PM, Dimuthu Leelarathne dimut...@wso2.comwrote: Hi, I am - 0 for this. There are some negative effects of increasing session timeout. 1) Objects we keep in the session can grow. This will be multiplied by the number of users with active sessions 2) Security risk is marginally increase. tx, dimuthu On Fri, Mar 30, 2012 at 3:26 PM, Amila Suriarachchi am...@wso2.comwrote: On Thu, Mar 29, 2012 at 3:21 PM, Tharindu Mathew thari...@wso2.comwrote: Hi, Let's do $subject. What we ship by default is a toy value good for running samples. When we are doing some lengthy work it will definitely timeout in the middle of work and this is really frustrating for users. It should at least be 30 mins IMO +1 thanks, Amila. -- Regards, Tharindu blog: http://mackiemathew.com/ M: +9459908 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- *Amila Suriarachchi* Software Architect WSO2 Inc. ; http://wso2.com lean . enterprise . middleware phone : +94 71 3082805 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- Dimuthu Leelarathne Technical Lead WSO2, Inc. (http://wso2.com) email: dimut...@wso2.com Lean . Enterprise . Middleware -- *Amila Suriarachchi* Software Architect WSO2 Inc. ; http://wso2.com lean . enterprise . middleware phone : +94 71 3082805 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] Let's increase default value for session timeout
Hi, Let's do $subject. What we ship by default is a toy value good for running samples. When we are doing some lengthy work it will definitely timeout in the middle of work and this is really frustrating for users. It should at least be 30 mins IMO -- Regards, Tharindu blog: http://mackiemathew.com/ M: +9459908 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev