Login session timeout and remember me box
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
KARL4 |
Fix Released
|
High
|
Carlos de la Guardia |
Bug Description
Dramatically lower the cookie age and remove the "Remember Me" checkbox.
OSF wants to beef up authentication security. We'd like to make people login more frequently and in particular prevent stealing the auth cookie in some way and using it from another browser.
In a related sense, we'd like to have finer-grained "sessions" that tell us more about who/when is using the system.
For this task:
- Set the age of the cookie to a config-file value, defaulting to 10 hours if not present
- Remove the "Remember me" checkbox and just have that as a default
Paul then needs to remember for the osideploy task:
- Wipe the old cookies and force everyone to login by changing the secret hash
- Add an osideploy Fabric config value for the age
Changed in karl4: | |
milestone: | 022 → 023 |
importance: | Medium → High |
Changed in karl4: | |
status: | Fix Committed → Fix Released |
Nat, can you confirm the writeup on this? Also, Carlos...this ticket is a higher priority than others. We'd like to get this in testing by the beginning of next week.