View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|12143||Feature requests||Security||public||2017-02-20 18:10||2017-11-17 11:48|
|Summary||12143: Add a login cookie with a duration longer than the session|
It seems the admin login uses PHP sessions which are destroyed at the end of the browsing session (or even before if the server cleans the sessions every X minutes), which is pretty annoying.
Would it possible to add a login cookie with a longer duration, which is what most web apps do nowadays.
I can be optional with a "Remember me" checkbox.
|Tags||No tags attached.|
I like it, it can be done in plugin currently.
- cookies must be really have some crypting mecanisms
- cookies must use some salt
|We can use a library like rememberme (https://github.com/gbirke/rememberme) to ensure that the cookie is sufficiently secure.|
|Here is a basic implementation as a plugin : https://framagit.org/Animafac/limesurvey-rememberme|
In fact , for all session :
In fact :
'cookieParams' => array(
'lifetime' => 60 * 60 * 24 * 7,
Work too without issue (here for 7 days)
Can use 'savePath' => '/outofgarbage/tmp', : to disallow server to garbage session too.
I close this one
It's generally not a good idea to store long PHP sessions, especially if you don't use garbage collection, because a lot of sessions can be created quite easily by an attacker and it can fill your drive.
What if I run something like this in Bash for example:
for ((i=1;i<=100000;i++)); do curl http://example.com/LimeSurvey/index.php/admin/authentication/sa/login; done
Because LS creates a new session for every user, even if they are not logged-in, this will allow to create unlimited sessions and they won't be garbage collected. (And even if you setup a cron for garbage collection, 7 days is enough time to fill up your server's drive.)
This is why it is considered a better practice to:
* Have short PHP sessions for everyone
* Have a second mechanism for long sessions used only for logged-in users
* Have a way to garbage collect old sessions
1: bug title : Add a login cookie with a duration longer than the session : can be fixed by Yii
2: your plugin does really better and fix the situation.
=> Then i think we can close this bug .
I send it in feedback to Carsten
|OK to close it ?|
PS : @Rudloff : if you found some time to put your plugin in https://www.limesurvey.org/index.php?option=com_sobipro&sid=61:Authentication&Itemid=729 it's great.
If you want i make it : i can (just ask), but better if you do it.
|OK you can close the bug. I will submit my plugin but I wan't to add some documentation and tests first.|
|@c_schmitz : maybe we can include this plugin in core plugin for 3.0 ?|
|2017-02-20 18:10||Rudloff||New Issue|
|2017-02-21 18:59||DenisChenu||Note Added: 43054|
|2017-02-21 19:06||Rudloff||Note Added: 43058|
|2017-02-23 12:37||Rudloff||Note Added: 43082|
|2017-02-28 14:19||DenisChenu||Note Added: 43095|
|2017-02-28 14:19||DenisChenu||Status||new => closed|
|2017-02-28 14:19||DenisChenu||Resolution||open => no change required|
|2017-02-28 15:28||Rudloff||Status||closed => feedback|
|2017-02-28 15:28||Rudloff||Resolution||no change required => reopened|
|2017-02-28 15:28||Rudloff||Note Added: 43097|
|2017-02-28 16:04||DenisChenu||Note Added: 43098|
|2017-02-28 16:05||DenisChenu||Assigned To||=> c_schmitz|
|2017-02-28 16:05||DenisChenu||Status||feedback => assigned|
|2017-02-28 16:05||DenisChenu||Status||assigned => feedback|
|2017-02-28 16:05||DenisChenu||Note Added: 43099|
|2017-02-28 16:06||DenisChenu||Note Added: 43100|
|2017-02-28 16:23||Rudloff||Note Added: 43102|
|2017-02-28 16:23||Rudloff||Status||feedback => assigned|
|2017-02-28 16:28||DenisChenu||Note Added: 43103|
|2017-11-17 11:48||DenisChenu||Note Added: 45102|