-
-
Notifications
You must be signed in to change notification settings - Fork 430
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kvmd session timeout #1204
Comments
This is implemented intentionally so as not to bother the user. Personally, my eyelid twitches every time sites ask me to relogin without any meaning. Are you sure this is necessary? |
Yes. It's a major security risk if a user doesn't remember to log out and walks away. It should be a flag or be configurable in the yaml. Why have OTP if you are just always logged in? |
I assume that if a user uses a computer with public access, then he should lock the screen when he leaves or log out on his own. Otherwise, there is no safe time interval, because even five minutes of physical access is enough to steal cookies or do something else. In short, a timeout does not solve the security problem in any way. |
What interval do you consider acceptable? |
Sup? |
Describe the bug
HTTP/Web authentication seems to never timeout/expire unless you restart kvmd service or manually logout. If you restart the kvmd service, then auth is cleared and users are forced to login again. This is a security risk if someone forgets to logout manually.
To Reproduce
1.) Login to the web gui.
2.) Open the KVM control to display the remote computer.
3.) Close the browser (do not logout as a lot of users will do).
4.) Re-open the browser (even days/weeks? later) and you are still logged in.
Expected behavior
You should be re-prompted to login.
Desktop (please complete the following information):
PiKVM info:
kvmd 3.287-1
kvmd-fan 0.26-1
kvmd-oled 0.26-1
kvmd-platform-v3-hdmi-rpi4 3.287-1
kvmd-webterm 0.47-1
The text was updated successfully, but these errors were encountered: