0
Fixed

(admin page) Missing login expiration

Elouan 4 years ago updated by Tom 4 years ago 7

It seems that the admin page is not very secured: once the admin is logged in, the page .../admin stays open for an infinite amount of time until a user clicks on "log administrator out"

  • Even after a full night without activity, [and in fact, without even any connection to the page] in the morning, I can still access the admin page without beeing requested to put in the password
  • one the admin is logged in, there is no IP check. I've moved from home (local network) to office (external network), and ubooquity doesn't detect there has been a change and doesn't request to put in the password

This is worrisome because it means that once an admin is logged-in, anybody can access the admin page; and I mean anybody: it's not even limiting access to registered users, anybody trying that page will gain access to the admin page

This is a bit strange because it seems to me [although I haven't really tested that] that the main pages for consulting the library does not suffer from this security breach

I suggest to improve

  • add an "inactivity timer" in the admin page, set to 5 minutes by default [you may add this parameter in the admin settings];
  • detect the IP address of the client connection so that whenever it's a new IP, ubooquity requests a new login.
  • add something at the bottom of the page displaying the number of clients connected to the admin page => this could help detect intrusion

Umm, authentication for both users and admin are cookie-based. Trying the direct url to the admin page from a different browser (or incognito mode, if you only have the one browser) will prompt for a password again.

Let me guess, Chrome user? Did you know if you're authenticated with your Google account, cookies can transfer from client to client? Yup, it can. And it sounds like exactly what's happening.

mmm, I don't use Chrome but you might have a point: I've just tested connection to the admin with 2 different browsers on the same PC and I got the password prompt. So you got that right


But I still feel the admin should be more secured: when wrote this report, I used the same laptop when I left home and when I get to the office. This cookie thing would explain why I didn't have any prompting. But I still feel it's not good enough

  • I changed IP address between home and office => this should prompt for a new password
  • There was at least 1 hour between the time I left home and the time I get to the office during which I'm sure my laptop was disconnected => this should prompt for a new password

The cookies themselves do timeout, though it's pretty long. Using the same device across multiple network connections isn't exactly as insecure as a page being wide-open.

You made it sound like you were using different devices at home/work, which would mean multiple browsers/devices are sharing a cookie, hence assuming Chrome.


Many other services that use cookie-based authentication would (and do) operate exactly the same way

Sorry, my explanation was misleading: I didn't think of cookie authentification and just assumed the worst...

It makes sense to allow for multiple network connections using the same cookie

But maybe we could reduce the time-out ? to something like 15min or 30min. This is normally plenty enough to do whatever you need to do. Or let an admin set this value in the admin page?

Fixed

The new web admin (in version 2.0) will have a "remember me" checkbox.

Don't check it and your cookie will expire when you close your browser (that's a very standard behavior).


Otherwise the session will stay alive for 30 days.

(in the meantime, you can log off manually with the "log out" link)

+1

I wish I could give one ! :)

But I don't have much control over the time I can put into Ubooquity, so I'll stay with "When it's done".


The good news is that I have finished two big tasks that took waaay more time than anticipated:

- migration to Jetty instead of NanoHTTPD to server pages

- rewrite of the admin UI (both desktop and web versions)


Other features I want to include in 2.0.0 should take less time.