Unexpire Session
Owen Winkler
without activity are automatically logged out. This makes logins a
bit more secure, since session keys will not remain open for long
after you've abandoned your session.
Nonetheless, people are not familiar with this additional security,
and might prefer to eliminate this logout, especially on local test
sites. The attached plugin will disable the expiry of sessions for
logged-in users only, and will still perform the other checks (subnet
and user agent).
Owen
Michael Heilemann
Scott Merrill
> Is this how Habari is meant to act in the future as well? It seems
> contrary to how (estimated) 95% of people want to use their sites IMHO.
I think the 20 minute expiration is an arbitrary choice for an initial
implementation of more secure session handling. It allows us to confirm
that the expirations are, in fact, occurring in an easy way.
I'd be comfortable with a slightly longer window -- say an hour or two
-- before expiration: it sometimes takes me a long time to compose a new
post!
And remember that every time you access the admin interface it refreshes
the expiration: so it's not like you have 20 minutes total in which to
work before logging in again. Rather, you have 20 minutes in which you
can access any (other) admin page in order to refresh your session.
> On Nov 26, 2007 6:19 AM, Owen Winkler < epi...@gmail.com
> <mailto:epi...@gmail.com>> wrote:
>
> With the new session class, logins that go for more than 20 minutes
> without activity are automatically logged out. This makes logins a
> bit more secure, since session keys will not remain open for long
> after you've abandoned your session.
>
> Nonetheless, people are not familiar with this additional security,
> and might prefer to eliminate this logout, especially on local test
> sites. The attached plugin will disable the expiry of sessions for
> logged-in users only, and will still perform the other checks (subnet
> and user agent).
>
> Owen
>
>
> >
--
GPG 9CFA4B35 | ski...@skippy.net | http://skippy.net/
Michael Heilemann
But maybe I'm being a bit rash :)
Scott Merrill
> I seems to me, that at the very least, the user should be given the
> option of 'remember me'. I know Habari isn't aiming for my mom as its
> core audience, but having to install a plugin to avoid the expiration
> seems like a case of the pluginitis.
Security is inversely proportional to convenience. The more convenient
we make things, the more we run the risk of making the system less secure.
I'd rather keep Habari out of the list of vulnerable web-based
applications. If this requires users to log in a little more often, so
be it.
Michael Heilemann
Owen Winkler
> Well that's a discussion of its own; I don't agree, but that's one
> thing. What happens when people install the plugin, which in turn turns
> off expiration entirely, regardless of where you log in from?
The longer you retain your login session the less secure your system is,
because it allows hackers an additional window of entry that they
otherwise wouldn't have.
When you install the plugin, it makes your system less secure. The
reason it is a plugin is because we don't want your Habari install to be
less secure.
The plugin is provided for people who don't care that their installation
is made less secure, and take it upon themselves to cause their
installation to be less secure because they think they know better.
Installing this plugin makes Habari less secure than its default but is
currently still more secure than WordPress, which doesn't verify
sessions against IP or UA and transmits a permanently re-usable login
token (the md5 password hash) on every page load. I hear they're trying
to fix this. So it's not a matter of, "Why do we do this if they
don't?" It's a matter of, "How long until they catch up, and will they
choose to be more convenient versus more secure to appease users who
don't understand or value security?"
Owen
Michael Heilemann
Chris J. Davis
that it is a good compromise of security and convenience.
Chris
