View Issue Details

IDProjectCategoryView StatusLast Update
12143Feature requests[All Projects] Securitypublic2017-11-17 11:48
ReporterRudloff Assigned Toc_schmitz  
PrioritynoneSeverityfeature 
Status assignedResolutionreopened 
Product Version 
Target VersionFixed in Version 
Summary12143: Add a login cookie with a duration longer than the session
Description

Hello,

It seems the admin login uses PHP sessions which are destroyed at the end of the browsing session (or even before if the server cleans the sessions every X minutes), which is pretty annoying.
Would it possible to add a login cookie with a longer duration, which is what most web apps do nowadays.
I can be optional with a "Remember me" checkbox.

TagsNo tags attached.

Activities

DenisChenu

DenisChenu

2017-02-21 18:59

developer   ~43054

I like it, it can be done in plugin currently.

But :

  • cookies must be really have some crypting mecanisms
  • cookies must use some salt
Rudloff

Rudloff

2017-02-21 19:06

reporter   ~43058

We can use a library like rememberme (https://github.com/gbirke/rememberme) to ensure that the cookie is sufficiently secure.

Rudloff

Rudloff

2017-02-23 12:37

reporter   ~43082

Here is a basic implementation as a plugin : https://framagit.org/Animafac/limesurvey-rememberme

DenisChenu

DenisChenu

2017-02-28 14:19

developer   ~43095

In fact , for all session :
In fact :
'session'=>array(
'sessionName'=>'ls',
'cookieParams' => array(
'lifetime' => 60 60 24 * 7,
),
),

Work too without issue (here for 7 days)

Can use 'savePath' => '/outofgarbage/tmp', : to disallow server to garbage session too.

I close this one

Rudloff

Rudloff

2017-02-28 15:28

reporter   ~43097

It's generally not a good idea to store long PHP sessions, especially if you don't use garbage collection, because a lot of sessions can be created quite easily by an attacker and it can fill your drive.

What if I run something like this in Bash for example:
for ((i=1;i<=100000;i++)); do curl http://example.com/LimeSurvey/index.php/admin/authentication/sa/login; done
Because LS creates a new session for every user, even if they are not logged-in, this will allow to create unlimited sessions and they won't be garbage collected. (And even if you setup a cron for garbage collection, 7 days is enough time to fill up your server's drive.)

This is why it is considered a better practice to:

  • Have short PHP sessions for everyone
  • Have a second mechanism for long sessions used only for logged-in users
  • Have a way to garbage collect old sessions
DenisChenu

DenisChenu

2017-02-28 16:04

developer   ~43098

Hi Rudloff
1: bug title : Add a login cookie with a duration longer than the session : can be fixed by Yii
2: your plugin does really better and fix the situation.
=> Then i think we can close this bug .

I send it in feedback to Carsten

DenisChenu

DenisChenu

2017-02-28 16:05

developer   ~43099

OK to close it ?

DenisChenu

DenisChenu

2017-02-28 16:06

developer   ~43100

PS : @Rudloff : if you found some time to put your plugin in https://www.limesurvey.org/index.php?option=com_sobipro&amp;sid=61:Authentication&amp;Itemid=729 it's great.

If you want i make it : i can (just ask), but better if you do it.

Rudloff

Rudloff

2017-02-28 16:23

reporter   ~43102

OK you can close the bug. I will submit my plugin but I wan't to add some documentation and tests first.

DenisChenu

DenisChenu

2017-02-28 16:28

developer   ~43103

Thanks

DenisChenu

DenisChenu

2017-11-17 11:48

developer   ~45102

@c_schmitz : maybe we can include this plugin in core plugin for 3.0 ?

Issue History

Date Modified Username Field Change
2017-02-20 18:10 Rudloff New Issue
2017-02-21 18:59 DenisChenu Note Added: 43054
2017-02-21 19:06 Rudloff Note Added: 43058
2017-02-23 12:37 Rudloff Note Added: 43082
2017-02-28 14:19 DenisChenu Note Added: 43095
2017-02-28 14:19 DenisChenu Status new => closed
2017-02-28 14:19 DenisChenu Resolution open => no change required
2017-02-28 15:28 Rudloff Status closed => feedback
2017-02-28 15:28 Rudloff Resolution no change required => reopened
2017-02-28 15:28 Rudloff Note Added: 43097
2017-02-28 16:04 DenisChenu Note Added: 43098
2017-02-28 16:05 DenisChenu Assigned To => c_schmitz
2017-02-28 16:05 DenisChenu Status feedback => assigned
2017-02-28 16:05 DenisChenu Status assigned => feedback
2017-02-28 16:05 DenisChenu Note Added: 43099
2017-02-28 16:06 DenisChenu Note Added: 43100
2017-02-28 16:23 Rudloff Note Added: 43102
2017-02-28 16:23 Rudloff Status feedback => assigned
2017-02-28 16:28 DenisChenu Note Added: 43103
2017-11-17 11:48 DenisChenu Note Added: 45102