UI authentication session is not expiring
Bug #1852745 reported by
Vladimir Grevtsev
This bug affects 2 people
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| MAAS |
Triaged
|
Medium
|
Unassigned | ||
| maas-ui |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
One of our customers made a pentesting assessment and the following recommendations were issued:
- Set session timeout to the minimal value possible depending on the context of the application.
- Avoid "infinite" session timeout.
Currently, authenticated sessions are remaining active indefinitely after their last use. If an authenticated user were to leave a browser window open without explicitly logging out of the application, another person may be able to resume that user's session several hours later simply by browsing to the MAAS UI on the same computer.
| Changed in maas: | |
| status: | New → Triaged |
| importance: | Undecided → High |
| tags: | added: ui |
| Changed in maas: | |
| assignee: | nobody → Kit Randel (blr) |
| tags: |
added: api removed: ui |
| Changed in maas: | |
| assignee: | Kit Randel (blr) → nobody |
| Changed in maas-ui: | |
| status: | Unknown → New |
Revision history for this message
| Huw Wilkins (huwshimi) wrote | #1 |
| Changed in maas-ui: | |
| importance: | Unknown → Undecided |
| status: | New → Invalid |
| tags: | removed: api |
Revision history for this message
| Jerzy Husakowski (jhusakowski) wrote | #2 |
| Changed in maas: | |
| importance: | High → Medium |
| milestone: | none → 3.4.0 |
| Changed in maas: | |
| milestone: | 3.4.0 → 3.4.x |
To post a comment you must log in.
The session cookie is created by Django which also dictates the cookie expiry (in fact the cookie has HttpOnly so can't be accessed by JavaScript).
I think the expiry can be controlled by SESSION_COOKIE_AGE:
https:/