Wish List - Wish List: Wish #533

<Member picture

0 Dislike

Pascal Meunier

Don't leave users logged in permanently by default

There’s a checkbox that’s checked by default on nanoHUB (“Keep me logged in?”). It leaves you permanently logged in. There should be alternatives that are less risky but still convenient enough. I suggest instead a select box with a configurable default value, with choices like 3, 6, 12, 24, and if you really must have it, permanently (never the default). You shouldn’t leave users logged in permanently, this is very bad security.

Comments (2)

  1. Joseph M. Cychosz

    I agree that it should not be the default state. But if selected you should remain logged in. This should work like FB, linkedin, amazon, etc. Now if at somepoint, say editing a resource, making a submission, changing your profile, etc. then like Amazon, you may want to re-authenticate the user to make sure they are still the person there after 30 days of being logged in, etc.

    People don’t want to have to log in to browse. We want them to be logged in so we know who they are. We don’t want to create a security issue but being kept logged in in itself is not a security problem. Its what can be done that is where the security issue lies.

    For Amazon, there is a difference between being logged in and knowing who you are and having access to your favorites and wish lists without having to re-authenticating.

    Reply Report abuse

    Please login to comment.

  2. Pascal Meunier

    The hub doesn’t currently support re-authenticating when performing important actions. Let’s assume for the sake of this paragraph that the hub should indeed behave like a shopping site. Until a list of important actions is created, and support implemented for reauthenticating, then allowing people to remain logged in permanently by default makes no sense and is broken security. Implementing this wish is the quickest way to repair the broken security without increasing inconvenience too much. Later, we can plan for a “stay logged in but reauthenticate for important actions” model. The list of actions requiring re-authentication is likely going to be long, and this is going to increase the inconvenience. There could still be a timer somewhere (like when doing “sudo”), unless you want to force re-authentication every time you take an important action. What is going to be the interval after which you’ll need to re-authenticate again for important actions?

    The point of logging in is indeed knowing who you are. However, after a while there’s a likelihood that the person at the other end is no longer the same, so you can’t be really sure who they are. Logged in doesn’t mean we know for certain who you are, after a while. Risk increases with time, so only trivial activity, like browsing available merchandise or searching and viewing free videos, could be allowed without re-authentication.

    Regarding FB, the worst that can happen if you don’t logout of Facebook, is someone is going to post on your account “I’m a little teapot” and similar mischief. Nevertheless, this is enough of a concern for some people to have created a Firefox plugin that will auto-logout from FB, thereby correcting the “broken by design” FB. I think FB has terrible security policies for users, and of course many people don’t mind, but that would take too long to discuss here. My point is that FB is not a good example to follow in general.

    Reply Report abuse

    Please login to comment.