[Openstack-security] [Bug 1118441] Re: Horizon does not implement a browser session timeout
OpenStack Hudson
1118441 at bugs.launchpad.net
Thu Jun 20 11:20:57 UTC 2013
Fix proposed to branch: master
Review: https://review.openstack.org/33802
** Changed in: horizon
Status: Confirmed => In Progress
** Changed in: horizon
Assignee: Jesse Pretorius (jesse-pretorius) => Matthias Runge (mrunge)
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1118441
Title:
Horizon does not implement a browser session timeout
Status in OpenStack Dashboard (Horizon):
In Progress
Bug description:
Horizon does not terminate user sessions (from a browser) after a
reasonable period of inactivity. The only timeout is that of
keystone's token which is often set to very long periods. The only
session timeout implemented by Horizon is Django's
SESSION_EXPIRE_AT_BROWSER_CLOSE which closes the session when the
browser closes.
Due to the nature of what can be done in Horizon (both now and in the
future) this could pose significant risk since it enables bystanders
to make use of unlocked workstations in order to access sensitive data
and do otherwise unauthorised activities on behalf of what some may
call a 'careless' end-user.
Implementing a reasonable inactive session timeout for Horizon would
mitigate this risk.
An option to solve this problem could be to include this code:
https://github.com/subhranath/django-session-idle-timeout
There is some discussion regarding possible solutions here:
http://stackoverflow.com/questions/3024153/how-to-expire-session-due-
to-inactivity-in-django
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1118441/+subscriptions
More information about the Openstack-security
mailing list