Invalidate Session on Password Change #18410
Comments
|
|
@MTRichards Please provide a milestone here. |
|
Is there a ticket? |
|
@LukasReschke Are we planning on doing anything here, or is the urgency such that it is not required soon? |
owncloud/client#3912 ;) (always check the last backlink at around the time of adding the label ;)) |
|
|
This seems to be because the session is still valid. So we should invalidate the session, and then require us to hit the LDAP/AD again. Isn't there a session keep alive setting somewhere? (if not, this would be good). Is there an event or something when a user's external (LDAP/AD) password is changed? Do we even know when this happens (I think not)? Alternatively, a manual "invalidate session" option might also work, but as an admin this is undesirable behavior. |
For LDAP there is a TTL
cc @blizzz
It's not about the manual way, but about being able to do so (also from a developers point of view). |
Only used for caching, nothing to do with sessions.
No, we don't. |
|
right, so now I understand the feature request - we need a TTL for session information. @bboule I need to understand if this makes the top ten and the urgency there, and then @cmonteroluque can discuss delivery. No later than 9.1 in my head at this time, but not confirmed. |
|
Do we really have to invalidate the session or is it enough to invalidate the data in the session? |
from my understanding we need to invalidate the session - which can be done by marking the session as invalid and do a forced logout. but the interesting point here is: we have no understanding when the password is changed on the ldap server - we basically have no other choice then let the session live until it expires. we might need to readjust the session renewal mechanism - afaik a session will continue to live for ever (as in no password reentry by the user) if the session is reused often enough |
|
@felixboehm Could we add this to next weeks discussion as I dont seem to have a firm grasp of the priority here |
* allows to drop the session from the database and then kill the active session automatically * this check is done at most once every 5 seconds * ref #18410
|
Folks, I need a question answered. Should this be an OCC command, such as occ: kill user_1 - this requires the admin to run an OCC command with the username specifically It has an impact on the design and architecture. |
I guess both, but at most the second one. Also something like killing your own other sessions would be nice. See how github handles it: https://github.com/settings/security |
|
For my specific request the user has no more access to the LDAP, but its still logged in the sync-client and continue downloading and uploading files, the user can't log over the webUI because of the credentials.
That would be enough for my customer. |
This nevertheless requires the ownCloud knows that user <-> session relationship which is currently not possible. |
|
Work package:
|
|
Estimate: 2 weeks. |
* allows to drop the session from the database and then kill the active session automatically * this check is done at most once every 5 seconds * ref #18410
|
@ChristophWurst Is this already covered by your pluggable auth |
|
@MorrisJobke yes, that is covered. The session token contains the encrypted login password which is re-checked about once per 5 minutes and the user is logged out if the password was changed. I did not test with LDAP, but the implementation should work with any user backend the user manager queries. |
|
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Imported from https://github.com/owncloud/security-tracker/issues/31:
Also related to #13727 (comment) and #17866 (comment)
The text was updated successfully, but these errors were encountered: