kvmd session timeout

[cconkrig]

Describe the bug
HTTP/Web authentication seems to never timeout/expire unless you restart kvmd service or manually logout. If you restart the kvmd service, then auth is cleared and users are forced to login again. This is a security risk if someone forgets to logout manually.

To Reproduce
1.) Login to the web gui.
2.) Open the KVM control to display the remote computer.
3.) Close the browser (do not logout as a lot of users will do).
4.) Re-open the browser (even days/weeks? later) and you are still logged in.

Expected behavior
You should be re-prompted to login.

Desktop (please complete the following information):

• OS: Windows 11
• Browser: Chrome
• Version: 120.0.6099.130 (64-bit)
• VNC client (if used): N/A

PiKVM info:

• Raspberry Pi board version: RPi 4
• PiKVM platform: v3-hdmi
• Video capture type: CSI bridge
• KVMD version:
  kvmd 3.287-1
  kvmd-fan 0.26-1
  kvmd-oled 0.26-1
  kvmd-platform-v3-hdmi-rpi4 3.287-1
  kvmd-webterm 0.47-1
• uStreamer version: ustreamer 5.45-1
• Linux kernel: Linux pikvm 6.1.61-1-rpi-ARCH Allow For control of Multiple Hosts #1 SMP Fri Nov 3 20:48:52 MSK 2023 armv7l GNU/Linu

[mdevaev]

This is implemented intentionally so as not to bother the user. Personally, my eyelid twitches every time sites ask me to relogin without any meaning. Are you sure this is necessary?

[cconkrig]

Yes. It's a major security risk if a user doesn't remember to log out and walks away. It should be a flag or be configurable in the yaml. Why have OTP if you are just always logged in?

[mdevaev]

I assume that if a user uses a computer with public access, then he should lock the screen when he leaves or log out on his own. Otherwise, there is no safe time interval, because even five minutes of physical access is enough to steal cookies or do something else. In short, a timeout does not solve the security problem in any way.

[mdevaev]

What interval do you consider acceptable?

[mdevaev]

Sup?