I’m noticing that I can stay logged in to the server manager for days at a time, leaving it inactive for several hours at a stretch, even persisting through server restarts. Although there is some convenience to this, it seems a bit insecure. Has there been thought given to setting up an inactivity timeout for this?
The server manager should be used by a person who knows the risks of leave this page opened without surveilance…
Yeah, and anyone with root privileges should know the danger of doing
rm -r /, too–but there’s still a warning when you do it. It’s also more than simply leaving the page open; if you close the tab/window without logging out, you can browse back to the server-manager without needing to authenticate again.
It’s not a terribly big deal to me with my use case, but it still seems a bit insecure. There’s a reason that a timeout like this is pretty much universal in places that require a login.
I agree a timeout could be more secure. Modern browsers do not expire sessions any more when the window is closed, thus a session expiry policy must be implemented on the server side.
How long should it last?
I’d suggest 15-30 minutes, though I could be flexible with that. SME set it to 5 minutes when they implemented one, and that was just too short.
I agree with a minimum of 15 minutes to avoid annoying logouts. What about a db prop to set the expiry time?
Being configurable is always good.
My proposal is to expire the session after 4 hours of inactivity.
15 min. Idle timeout
X hours absolute timeout
Custom db prop
Yes it seems we have divergent ideas of session timings
I think we need a server manager page under Security category where the desired timeouts can be set.
- One slider for idle session timeout
- One slider for absolute session timeout
I’m not sure I’d agree with having an absolute timeout. If you’re actively using the server manager, I don’t think it should time you out. I can’t imagine what you’d be doing actively for several hours, but if you somehow are, it would be frustrating to be logged out in the process. But having a server manager panel to set (or enable/disable) the timeouts should cover all the bases.
Let’s ask @dnutan: why an absolute timeout is needed? How does it work?
About “4 hours” (half a workday) idle: for me a long idle time suits my use case when I start working on a customer server in the morning, then switch on another and finally come back to the first in the afternoon. Why do you prefer a few minutes expiry?
I guess it’s at least as much familiarity as anything else. Other systems I use which have timeouts (bank websites, post office, medical record systems are what come to mind) vary, but are well under an hour.
An absolute timeout could be a measure to reduce the exposure time to attacks against an active session or invalidate a hijacked one by forcing reauthentication (although in this case it could be too late).
I think it depends on each organization needs and how critical the service is from their POV. Some may have to adhere to NIST, ENISA, OWASP… recommendations.
An idle timeout might be enough for the use case of most small companies.
I agree to absolute timeout, it will reduce footprint for attacks.
I don’t agree with idle timeout, i am aware that is an administrative interface therefore i am aware to logout and don’t leave the session to not skilled or authorized persons.
There’s no warning when i use a knife on my skin…
Filed a new issue here
I’d start with high default values, for backward compatibility
- Idle session timeout 8hrs
- absolute session timeout 1month
“High” i think don’t fit the size… expecially for absolute sessione timeout.
Sorry I don’t understand, could you explain in more detail?
I’m sorry, i will try to be more precise.
IMO 1 month for server manager interface is really way too much as absolute timeout. Even idle timeout is quite too high.
Therefore, my suggestion is 4hrs for idle, and 12 hours for absolute timeout.
…and I’d suggest much shorter yet (edit: for the idle timeout–I don’t think I’d want less than 12 hours for the absolute, and might favor 24 hours). But if there’s a panel to easily adjust them, I don’t know that the defaults are critical either way.