[Openstack-security] [Bug 1118441] Re: Horizon does not implement a browser session timeout

Thierry Carrez thierry.carrez+lp at gmail.com
Wed Jul 17 10:46:32 UTC 2013


** Changed in: horizon
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1118441

Title:
  Horizon does not implement a browser session timeout

Status in OpenStack Dashboard (Horizon):
  Fix Released

Bug description:
  Horizon does not terminate user sessions (from a browser) after a
  reasonable period of inactivity. The only timeout is that of
  keystone's token which is often set to very long periods. The only
  session timeout implemented by Horizon is Django's
  SESSION_EXPIRE_AT_BROWSER_CLOSE which closes the session when the
  browser closes.

  Due to the nature of what can be done in Horizon (both now and in the
  future) this could pose significant risk since it enables bystanders
  to make use of unlocked workstations in order to access sensitive data
  and do otherwise unauthorised activities on behalf of what some may
  call a 'careless' end-user.

  Implementing a reasonable inactive session timeout for Horizon would
  mitigate this risk.

  An option to solve this problem could be to include this code:
  https://github.com/subhranath/django-session-idle-timeout

  There is some discussion regarding possible solutions here:
  http://stackoverflow.com/questions/3024153/how-to-expire-session-due-
  to-inactivity-in-django

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1118441/+subscriptions




More information about the Openstack-security mailing list