It seems that the admin page is not very secured: once the admin is logged in, the page .../admin stays open for an infinite amount of time until a user clicks on "log administrator out"
- Even after a full night without activity, [and in fact, without even any connection to the page] in the morning, I can still access the admin page without beeing requested to put in the password
- one the admin is logged in, there is no IP check. I've moved from home (local network) to office (external network), and ubooquity doesn't detect there has been a change and doesn't request to put in the password
This is worrisome because it means that once an admin is logged-in, anybody can access the admin page; and I mean anybody: it's not even limiting access to registered users, anybody trying that page will gain access to the admin page
This is a bit strange because it seems to me [although I haven't really tested that] that the main pages for consulting the library does not suffer from this security breach
I suggest to improve
- add an "inactivity timer" in the admin page, set to 5 minutes by default [you may add this parameter in the admin settings];
- detect the IP address of the client connection so that whenever it's a new IP, ubooquity requests a new login.
- add something at the bottom of the page displaying the number of clients connected to the admin page => this could help detect intrusion
Customer support service by UserEcho