"Exploit"...

"Exploit"... Started by emanuele · May 09, 2013, 04:55:37 am · Read 22432 times 0 Members and 1 Guest are viewing this topic. previous topic - next topic

Re: "Exploit"...

Reply #15 – May 11, 2013, 04:46:04 pm

ok, thank you all...
two more ideas to discuss (a good german beer is sometimes a great inspration

)
- remove the checkbox "Disable administration security" from the gui and make it a hidden db setting? It shouldn't be that easy to bypass a critical security related setting.
- make the admin session lifetime configurable via setting and allow values between 5 minutes and 1 hour (current refresh time is 3600) I'd personally prefer a shorter refresh time. (10 minutes?) Except from the maintenance tasks you'd normally need just some minutes to finish the admin task.

Re: "Exploit"...

Reply #16 – May 11, 2013, 05:14:57 pm

Quote- remove the checkbox "Disable administration security" from the gui and make it a hidden db setting? It shouldn't be that easy to bypass a critical security related setting.

I did that a while ago.

Quote- make the admin session lifetime configurable via setting and allow values between 5 minutes and 1 hour (current refresh time is 3600) I'd personally prefer a shorter refresh time. (10 minutes?) Except from the maintenance tasks you'd normally need just some minutes to finish the admin task.

That's interesting. I can see that if you're doing quick tasks, you probably do only need 10 minutes, but if it's a complex operation it might need longer. I know our plugin uploading would appreciate the longer period especially if you have multiple plugins (because we don't have the same upload process at all now)

And don't forget the 'while I'm here...' mentality, going into the admin panel to do one thing and doing a bunch of others.

One thing I also added that might be useful is to include a message to the user at the top of the admin area to indicate the time remaining in the admin session.

Re: "Exploit"...

Reply #17 – May 11, 2013, 05:35:31 pm

Quote from: TE – May 11, 2013, 04:46:04 pmExcept from the maintenance tasks you'd normally need just some minutes to finish the admin task.

Attachments maintenance may take hours...many hours. And the checkbox to disable admin security becomes handy in that cases (of course is a quite limited scenario, but a real one).

Re: "Exploit"...

Reply #18 – May 11, 2013, 05:42:16 pm

You could always deal with that the way MediaWiki does: by making them CLI scripts only. But that doesn't do a lot for those using poor hosts. Mind you, those running poor hosts don't usually get their forums big enough to be up to the 'maintenance taking hours' stage.

Re: "Exploit"...

Reply #19 – May 12, 2013, 01:59:36 am

Quote from: Arantor – May 11, 2013, 05:42:16 pmYou could always deal with that the way MediaWiki does: by making them CLI scripts only.

And many others. Yes, TBH I love this way: CLI scripts with clear defined purposes, for maintenance, upgrade, stuff.

It doesn't need to be exclusive ("this way and only it"), all the rest stands.

We'll see I guess, if there is interest for developing CLI equivalents or maintaining or enhancing existing versions. (upgrade already has)

Re: "Exploit"...

Reply #20 – May 12, 2013, 02:36:49 am

Quote from: emanuele – May 11, 2013, 05:35:31 pmAttachments maintenance may take hours...many hours. And the checkbox to disable admin security becomes handy in that cases (of course is a quite limited scenario, but a real one).

yep, I know at least one forum where it was a real scenario (german forum about photography with "millions" of attachments). It's an edge case, I think. The few ones who would run into such problems could still enable it via phpMyAdmin. Most will probably disable the admin security because they are to lazy to type their passwords frequently. I still believe we should discourage them from doing that.

Quote from: ArantorYou could always deal with that the way MediaWiki does: by making them CLI scripts only. But that doesn't do a lot for those using poor hosts. Mind you, those running poor hosts don't usually get their forums big enough to be up to the 'maintenance taking hours' stage.

CLI is nice but remote shell access via SSH is an extremely rare feature when it comes to shared hosting.

Re: "Exploit"...

Reply #21 – May 12, 2013, 09:23:50 am

Sure it's a nicety but on the other hand, the forums big enough to actually run into timeouts (because it's > 1 hour), will almost certainly be on VPS type hosting or better anyway.

Re: "Exploit"...

Reply #22 – July 13, 2013, 01:01:24 pm

Was working on this one and believe I should notice this:
If an admin is logging in there's automatically an admin session initialized.

Do we really need an active admin session on login? Can only speek for myself: I use my account (with admin privileges) permanently but I rarely visit the admin interface..

Re: "Exploit"...

Reply #23 – July 13, 2013, 04:29:58 pm

Yeah it's a tricky one. My 2c is the same as your 2c, but other admins may be different.

Re: "Exploit"...

Reply #24 – July 13, 2013, 04:41:37 pm

Well, you have just entered your password... I don't see how not having the admin session initialised would help.

Re: "Exploit"...

Reply #25 – July 13, 2013, 04:43:39 pm

True. Ok, leave it.

Re: "Exploit"...

Reply #26 – July 13, 2013, 04:49:27 pm

I've just entered my password but I don't need admin access right now, so the admin session doesn't need to be initialized.

Example: Maybe someone is stealing my session via XSS.. they still cannot access the admin interface, because there isn't an active admin session. I believe it's a benefit regarding security, a small one, but still a benefit. I personally login at forums several times a day but I rarely visit the admin interface... So there's no need to initialize that session.

Re: "Exploit"...

Reply #27 – July 13, 2013, 04:58:47 pm

I'm easy either way.

Re: "Exploit"...

Reply #28 – July 13, 2013, 05:12:49 pm

I very rarely log into any (live) forum, I'm always logged in, and most of the times I login is just for testing on some localhost... lol

From what I read at sm.org, me and you are just a couple of exceptions, most of the admins out there are spending more time in the admin panel than in the forum itself...

Re: "Exploit"...

Reply #29 – July 13, 2013, 05:25:10 pm

hahaha, you're probably right.. I'm paranoid when it comes to security

I have to login several time a day, our company internet access for "private use" is designed that way (the web browser is a published application from terminal servers and the user's profile incl. all cookies and temporary internet files on that servers will be deleted once you've closed your browser).

Edit: How about making an option to enable "auto admin session on login" in the admin interface?