Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-6355

Timeout in UI doesn't seem to be updated in Views and is still absurdly short

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: bug-backlog
    • Component/s: UI
    • Security Level: Public
    • Labels:
      None
    • Triage:
      Untriaged

      Description

      Was working along in Views, and got logged out just before clicking something...

      We need to make the timeout longer, and make sure everything in the UI updates the timeout--if we keep it, or choose not to set it to something sane (i.e., greater than 5 minutes).

      No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

        Hide
        aaron Aaron Miller (Inactive) added a comment - - edited

        In light of this post: https://groups.google.com/d/msg/couchbase-8091/tOPdBUVZouU/7_IvOPC2bq8J

        Quoted for any not on the 8091 list: "Actually timed out logout does not add much security - it works only when you have browser window open. When I happen to browse to another URL in the same tab/window and return back to Couchbase even several days later, it does not ask for password and opens immediately.

        It looks like it is some kind of javascript client side check."

        It would seem the implementation as-is does not really offer more security than annoyance. This patch would remove it: http://review.couchbase.org/#/c/21276/

        If we actually want to offer some sort of security we could make the login cookie a session cookie. Mind, if an adversary has physical access to a user's unlocked machine, our timing out will not save them.

        Show
        aaron Aaron Miller (Inactive) added a comment - - edited In light of this post: https://groups.google.com/d/msg/couchbase-8091/tOPdBUVZouU/7_IvOPC2bq8J Quoted for any not on the 8091 list: "Actually timed out logout does not add much security - it works only when you have browser window open. When I happen to browse to another URL in the same tab/window and return back to Couchbase even several days later, it does not ask for password and opens immediately. It looks like it is some kind of javascript client side check." It would seem the implementation as-is does not really offer more security than annoyance. This patch would remove it: http://review.couchbase.org/#/c/21276/ If we actually want to offer some sort of security we could make the login cookie a session cookie. Mind, if an adversary has physical access to a user's unlocked machine, our timing out will not save them.
        Hide
        alkondratenko Aleksey Kondratenko (Inactive) added a comment -

        Fixed by removal of logout timer

        Show
        alkondratenko Aleksey Kondratenko (Inactive) added a comment - Fixed by removal of logout timer

          People

          • Assignee:
            alkondratenko Aleksey Kondratenko (Inactive)
            Reporter:
            BigBlueHat Benjamin Young
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Gerrit Reviews

              There are no open Gerrit changes