computercowboy
opened 2 months ago
-
Previous Value Current Value Allow Configurable Idle Session Timeout
Allow configurable idle session timeout
-
State changed as code fixing the issue is committed (15c2f61f)
-
OneDev
changed state to 'Closed' 2 months ago
Previous Value Current Value Open
Closed
-
State changed as build OD-6754 is successful
-
OneDev
changed state to 'Released' 2 months ago
Previous Value Current Value Closed
Released
-
Session timeout is 30 min by default in 13.0.10 and can be configured in system settings.
| Type |
Improvement
|
| Priority |
Normal
|
| Assignee | |
| Labels |
No labels
|
Issue Votes (0)
Watchers (3)
Consider as a side issue adjacent to OD-2241.
We are investigating leveraging OneDev for our CI/CD use-cases, and after a web security assessment, the assessors determined that the current approach to how idle session timeouts are handled does not meet their OWASP standard for idle session timeouts (currently configured as no timeout as long as browser/machine is open/active, considered problematic if user goes on leave and intrusion happens while PC/browser is active) [OWASP Session Management - Idle Timeouts]. Assessor recommends idle timeout client-side to be one-hour of inactivity regardless of browser/PC active, but rather if there is activity going on within the page itself.
This ticket proposes a configurable option that allows admins to set a global idle session timeout for users (can default to the current settings).