On 25/01/16 10:05, Stian Thorgersen
wrote:
Hmm... Don't you think the 90 seconds example is not realistic for
any deployment?
Another thing is "Client login timeout" . This is limited just by
network performance and doesn't require any action from user.
Usually it will take around 1-2 seconds to complete. So shouldn't we
decrease the current default value 1 minute to something lower (10
seconds?). Having bigger value theoretically decreases login
security as attacker have more time to exchange stolen code for
token.
I am not saying validation is lack of time. Agree we should have
them. But IMO validations are not always sufficient and I don't
think that we can handle every "bad" situation. So would recommend
people to do backup of database to prevent mis-configure things.
Also not sure if it's always good approach to restrict functionality
from admin console just to prevent people from break things. Likely
yes in some cases (builtin objects), however in some other it may be
better to use cofirmation warnings (Do you really want to set
timeout just to 10 seconds? Do you really want to re-configure
browser authentication flow of master realm? etc). I suppose admins
are technical people and they know what they're doing.
How about use the confirmation dialog if any timeout is set to
smaller value than 10 seconds as I mentioned above?
There are likely much more things, which we should handle regarding
timeouts. And likely disallow some of them. For example:
- If someone sets "Session Idle timeout" smaller than "Access token
timeout", the refreshes will be broken. This config should be
probably restricted
- Same for "Session max lifespan" . Maybe we should prevent people
from set "Session max lifespan" to be shorter than any other timeout
at all (despite "Offline session idle" )
Marek