Skip to main content
Topic: "Exploit"... (Read 4740 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Re: "Exploit"...

Reply #15
ok, thank you all...
two more ideas to discuss (a good german beer is sometimes a great inspration  :D )
- remove the checkbox "Disable administration security" from the gui and make it a hidden db setting? It shouldn't be that easy to bypass a critical security related setting.
- make the admin session lifetime configurable via setting and allow values between 5 minutes and 1 hour (current refresh time is 3600) I'd personally prefer a shorter refresh time. (10 minutes?) Except from the maintenance tasks you'd normally need just some minutes to finish the admin task.
Thorsten "TE" Eurich
------------------------

Re: "Exploit"...

Reply #16
Quote
- remove the checkbox "Disable administration security" from the gui and make it a hidden db setting? It shouldn't be that easy to bypass a critical security related setting.

I did that a while ago. ;)

Quote
- make the admin session lifetime configurable via setting and allow values between 5 minutes and 1 hour (current refresh time is 3600) I'd personally prefer a shorter refresh time. (10 minutes?) Except from the maintenance tasks you'd normally need just some minutes to finish the admin task.

That's interesting. I can see that if you're doing quick tasks, you probably do only need 10 minutes, but if it's a complex operation it might need longer. I know our plugin uploading would appreciate the longer period especially if you have multiple plugins (because we don't have the same upload process at all now)

And don't forget the 'while I'm here...' mentality, going into the admin panel to do one thing and doing a bunch of others.

One thing I also added that might be useful is to include a message to the user at the top of the admin area to indicate the time remaining in the admin session.

Re: "Exploit"...

Reply #17
Except from the maintenance tasks you'd normally need just some minutes to finish the admin task.
Attachments maintenance may take hours...many hours. And the checkbox to disable admin security becomes handy in that cases (of course is a quite limited scenario, but a real one).
Bugs creator.
Features destroyer.
Template killer.

Re: "Exploit"...

Reply #18
You could always deal with that the way MediaWiki does: by making them CLI scripts only. But that doesn't do a lot for those using poor hosts. Mind you, those running poor hosts don't usually get their forums big enough to be up to the 'maintenance taking hours' stage.

Re: "Exploit"...

Reply #19
You could always deal with that the way MediaWiki does: by making them CLI scripts only.

And many others. Yes, TBH I love this way: CLI scripts with clear defined purposes, for maintenance, upgrade, stuff.

It doesn't need to be exclusive ("this way and only it"), all the rest stands.

We'll see I guess, if there is interest for developing CLI equivalents or maintaining or enhancing existing versions. (upgrade already has)
The best moment for testing your PR is right after you merge it. Can't miss with that one.

Re: "Exploit"...

Reply #20
Attachments maintenance may take hours...many hours. And the checkbox to disable admin security becomes handy in that cases (of course is a quite limited scenario, but a real one).
yep, I know at least one forum where it was a real scenario (german forum about photography with "millions" of attachments). It's an edge case, I think. The few ones who would run into such problems could still enable it via phpMyAdmin.  Most will probably disable the admin security because they are to lazy to type their passwords frequently. I still believe we should discourage them from doing that.

Quote from: Arantor
You could always deal with that the way MediaWiki does: by making them CLI scripts only. But that doesn't do a lot for those using poor hosts. Mind you, those running poor hosts don't usually get their forums big enough to be up to the 'maintenance taking hours' stage.
CLI is nice but remote shell access via SSH is an extremely rare feature when it comes to shared hosting.
Thorsten "TE" Eurich
------------------------

Re: "Exploit"...

Reply #21
Sure it's a nicety but on the other hand, the forums big enough to actually run into timeouts (because it's > 1 hour), will almost certainly be on VPS type hosting or better anyway.

Re: "Exploit"...

Reply #22
Was working on this one and believe I should notice this:
If an admin is logging in there's automatically an admin session initialized.

Do we really need an active admin session on login?  Can only speek for myself: I use my account (with admin privileges) permanently but I rarely visit the admin interface..

Thorsten "TE" Eurich
------------------------

Re: "Exploit"...

Reply #23
Yeah it's a tricky one. My 2c is the same as your 2c, but other admins may be different.
Master of Expletives: Now with improved family f@&king friendliness! :D

Sources code: making easy front end changes difficult since 1873. :P

Re: "Exploit"...

Reply #24
Well, you have just entered your password... I don't see how not having the admin session initialised would help.
Bugs creator.
Features destroyer.
Template killer.

Re: "Exploit"...

Reply #25
True. Ok, leave it.
Master of Expletives: Now with improved family f@&king friendliness! :D

Sources code: making easy front end changes difficult since 1873. :P

Re: "Exploit"...

Reply #26
I've just entered my password but I don't need admin access right now, so the admin session doesn't need to be initialized.

Example: Maybe someone is stealing my session via XSS.. they still cannot access the admin interface, because there isn't an active admin session. I believe it's a benefit regarding security, a small one, but still a benefit. I personally login at forums several times a day but I rarely visit the admin interface... So there's no need to initialize that session.
Thorsten "TE" Eurich
------------------------

Re: "Exploit"...

Reply #27
I'm easy either way.
Master of Expletives: Now with improved family f@&king friendliness! :D

Sources code: making easy front end changes difficult since 1873. :P

Re: "Exploit"...

Reply #28
I very rarely log into any (live) forum, I'm always logged in, and most of the times I login is just for testing on some localhost... lol

From what I read at sm.org, me and you are just a couple of exceptions, most of the admins out there are spending more time in the admin panel than in the forum itself...
Bugs creator.
Features destroyer.
Template killer.

Re: "Exploit"...

Reply #29
hahaha, you're probably right.. I'm paranoid when it comes to security  O:-)

I have to login several time a day, our company internet access for "private use" is designed that way (the web browser is a published application from terminal servers and the user's profile incl. all cookies and temporary internet files on that servers will be deleted once you've closed your browser).

Edit: How about making an option to enable "auto admin session on login" in the admin interface?
Thorsten "TE" Eurich
------------------------