KARL4

Login session timeout and remember me box

Bug #1618470 reported by Paul Everitt on 2016-08-30

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	KARL4	Fix Released	High	Carlos de la Guardia	KARL4 023 "2016 Sep"

Bug Description

Dramatically lower the cookie age and remove the "Remember Me" checkbox.

OSF wants to beef up authentication security. We'd like to make people login more frequently and in particular prevent stealing the auth cookie in some way and using it from another browser.

In a related sense, we'd like to have finer-grained "sessions" that tell us more about who/when is using the system.

For this task:

- Set the age of the cookie to a config-file value, defaulting to 10 hours if not present

- Remove the "Remember me" checkbox and just have that as a default

Paul then needs to remember for the osideploy task:

- Wipe the old cookies and force everyone to login by changing the secret hash

- Add an osideploy Fabric config value for the age

See original description

Tags:

Revision history for this message

Paul Everitt (paul-agendaless) wrote on 2016-08-30:

Nat, can you confirm the writeup on this? Also, Carlos...this ticket is a higher priority than others. We'd like to get this in testing by the beginning of next week.

description:

updated

Revision history for this message

Nat Katin-Borland (nborland) wrote on 2016-08-30: RE: [Bug 1618470] Re: Login session timeout and remember me box

Yes, this sounds right to me!

--
Nathaniel Katin-Borland
Business Analyst | Information Systems
Open Society Foundations | New York | 224 W 57th Street, NY, NY 10019
Office: +1 212-548-0984
<email address hidden>
http://www.opensocietyfoundations.org

-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of Paul Everitt
Sent: Tuesday, August 30, 2016 9:56 AM
To: Nathaniel Katin-Borland
Subject: [Bug 1618470] Re: Login session timeout and remember me box

Nat, can you confirm the writeup on this? Also, Carlos...this ticket is a higher priority than others. We'd like to get this in testing by the beginning of next week.

--
You received this bug notification because you are subscribed to the bug report.
https://bugs.launchpad.net/bugs/1618470

Title:
Login session timeout and remember me box

Status in KARL4:
New

Bug description:
Dramatically lower the cookie age and remove the "Remember Me"
checkbox.

  OSF wants to beef up authentication security. We'd like to make people
  login more frequently and in particular prevent stealing the auth
  cookie in some way and using it from another browser.

In a related sense, we'd like to have finer-grained "sessions" that
tell us more about who/when is using the system.

For this task:

- Set the age of the cookie to a config-file value, defaulting to 10
hours if not present

- Remove the "Remember me" checkbox and just have that as a default

Paul then needs to remember for the osideploy task:

- Wipe the old cookies and force everyone to login by changing the
secret hash

- Add an osideploy Fabric config value for the age

To manage notifications about this bug go to:
https://bugs.launchpad.net/karl4/+bug/1618470/+subscriptions

Paul Everitt (paul-agendaless) on 2016-09-01

Changed in karl4:
milestone:	022 → 023
importance:	Medium → High

Revision history for this message

Carlos de la Guardia (cguardia) wrote on 2016-09-02:

This is on master right now. Needs some testing.

Changed in karl4:
status:	New → Fix Committed

Paul Everitt (paul-agendaless) on 2016-09-15

Changed in karl4:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.