[Openstack-security] [Bug 1118441] Re: Horizon does not implement a browser session timeout
David Lyle
david.lyle at hp.com
Sun Jul 14 05:28:41 UTC 2013
** Changed in: horizon
Milestone: None => havana-2
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1118441
Title:
Horizon does not implement a browser session timeout
Status in OpenStack Dashboard (Horizon):
Fix Committed
Bug description:
Horizon does not terminate user sessions (from a browser) after a
reasonable period of inactivity. The only timeout is that of
keystone's token which is often set to very long periods. The only
session timeout implemented by Horizon is Django's
SESSION_EXPIRE_AT_BROWSER_CLOSE which closes the session when the
browser closes.
Due to the nature of what can be done in Horizon (both now and in the
future) this could pose significant risk since it enables bystanders
to make use of unlocked workstations in order to access sensitive data
and do otherwise unauthorised activities on behalf of what some may
call a 'careless' end-user.
Implementing a reasonable inactive session timeout for Horizon would
mitigate this risk.
An option to solve this problem could be to include this code:
https://github.com/subhranath/django-session-idle-timeout
There is some discussion regarding possible solutions here:
http://stackoverflow.com/questions/3024153/how-to-expire-session-due-
to-inactivity-in-django
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1118441/+subscriptions
More information about the Openstack-security
mailing list