Timeout in UI doesn't seem to be updated in Views and is still absurdly short

Details

Type: Bug
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: .next
Component/s: UI
Security Level: Public
Labels:
None

Description

Was working along in Views, and got logged out just before clicking something...

We need to make the timeout longer, and make sure *everything* in the UI updates the timeout--if we keep it, or choose not to set it to something sane (i.e., greater than 5 minutes).

Activity

Hide

Permalink

Aaron Miller added a comment - 02/Oct/12 2:21 PM - edited

In light of this post: https://groups.google.com/d/msg/couchbase-8091/tOPdBUVZouU/7_IvOPC2bq8J

Quoted for any not on the 8091 list: "Actually timed out logout does not add much security - it works only when you have browser window open. When I happen to browse to another URL in the same tab/window and return back to Couchbase even several days later, it does not ask for password and opens immediately.

It looks like it is some kind of javascript client side check."

It would seem the implementation as-is does not really offer more security than annoyance. This patch would remove it: http://review.couchbase.org/#/c/21276/

If we actually want to offer some sort of security we could make the login cookie a session cookie. Mind, if an adversary has physical access to a user's unlocked machine, our timing out will not save them.

Show

Aaron Miller added a comment - 02/Oct/12 2:21 PM - edited In light of this post: https://groups.google.com/d/msg/couchbase-8091/tOPdBUVZouU/7_IvOPC2bq8J Quoted for any not on the 8091 list: "Actually timed out logout does not add much security - it works only when you have browser window open. When I happen to browse to another URL in the same tab/window and return back to Couchbase even several days later, it does not ask for password and opens immediately. It looks like it is some kind of javascript client side check." It would seem the implementation as-is does not really offer more security than annoyance. This patch would remove it: http://review.couchbase.org/#/c/21276/ If we actually want to offer some sort of security we could make the login cookie a session cookie. Mind, if an adversary has physical access to a user's unlocked machine, our timing out will not save them.

People

Assignee:

Unassigned

Reporter:

Benjamin Young

Vote (0)

Watch (0)

Dates

Created:

21/Aug/12 12:34 PM

Updated:

03/Oct/12 6:29 PM

Agile

View on Board