At present when you log in to OSO there's a 'remember me' flag you can set which makes your session persistent, by setting a flag in your user cookie.
This is a security issue, specifically because it leaves us open to cookie stealing attacks. With the 'remember me' flag we have to accept cookies no matter how long ago they were issued - someone may not have visited the site for months, but we still have to behave as if they are logged in when they come back. However if a cookie is stolen we have no way of invalidating it other than disabling the account entirely - When the Auth app is deployed we will mitigate this problem in the Auth app itself by forcing people to re-supply their passwords when doing any security-critical operations such as registering a new SSH key or changing their password. That doesn't solve the general case however. The new cookie introduced by the Auth app will have an expiration time and any expired cookies will be rejected. To keep logged in, the cookie has to be revalidated before the expiration time, at which point a new cookie with a new expiration time will be issued. This revalidation will happen behind the scenes during normal browsing of the site. The consequence of this is that if a cookie passes its expiration time people will be logged out of the site, and will have to re-login. This means that if someone *does* manage to steal a cookie, it will only be valid until the expiration time, which drastically reduces the attack window. Somewhere between one and four hours seems like a reasonable time for the inactivity logout, although this will of course be configurable. -- Alan Burlison -- _______________________________________________ website-discuss mailing list [email protected]
