@diosmosis opened this Pull Request on May 29th 2019 Member
@mattab commented on May 31st 2019 Member

Feedback

  • we could change the session idle timeout to 1 hour or maybe even 30min?

according to https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Session_Management_Cheat_Sheet.md#session-expiration

Both the idle and absolute timeout values are highly dependent on how critical the web application and its data are. Common idle timeouts ranges are 2-5 minutes for high-value applications and 15-30 minutes for low risk applications.
When a session expires, the web application must take active actions to invalidate the session on both sides, client and server. The latter is the most relevant and mandatory from a security perspective.

@diosmosis commented on May 31st 2019 Member

we could change the session idle timeout to 1 hour or maybe even 30min?

Sure, I'll change the default config value.

@diosmosis commented on June 2nd 2019 Member

Updated. Feel free to change the default config value.

@mattab commented on June 5th 2019 Member

@diosmosis Looking at https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Session_Management_Cheat_Sheet.md#session-expiration
I'm also wondering, do we already have Absolute Timeout implemented server side?

@diosmosis commented on June 5th 2019 Member

I don't think we want both, otherwise some will complain that the session shouldn't just end while they're using it.

@tsteur commented on June 7th 2019 Member

Maybe the absolute session timeout could be set to something like 3 months?

@tsteur commented on June 7th 2019 Member

Would then happen max 4 times a year. Any shorter absolute value be annoying indeed.

@diosmosis commented on June 7th 2019 Member

This PR implements an idle timeout, not an absolute one (the saved start time of the session updated on each request).

@mattab commented on June 10th 2019 Member

@tsteur could you please review this and merge?

@tsteur commented on June 11th 2019 Member

Not sure what happens, I set login_session_not_remembered_idle_timeout = 30 and I log in, then it appears like I was logged in successfully but am still anonymous and then get also these warnings:

core/Session/SessionAuth.php(209): Warning - A non-numeric value encountered - Matomo 3.10.0-b3 - Please report this message in the Matomo forums: https://forum.matomo.org (please do a search first as it might have been reported already)

There is no login failure, I get forwarded to dashboard but am not logged in.

@tsteur commented on June 14th 2019 Member

Works for me 👍 should be good to merge.

This Pull Request was closed on June 17th 2019
Powered by GitHub Issue Mirror