Web Portal - Configurable Maximum Login Time - Potential Security Issue
Answered
The web portal stays logged in for too long of a time. There should be a configurable timeout to a maximum logged in session.
Let's say a potential bad actor gets on a computer that both uses AutoElevate to control administrator privileges AND is logged into the web portal. The bad actor can elevate their own privileges to administrator and wreak more havoc then they could otherwise. Yes, you could say once a bad actor is on a computer, it's game over anyway, but that's why there are layers to security.
-
Official comment
Andrea Mastellone I just wanted to let you know that we have this on our roadmap and will be working on this in the near future. It will not appear on our public roadmap as it is security sensitive.
We also will be releasing SSO with AzureAD very soon and this will be a non issue since AzureAD tokens always expire after 24 hours and require re-authentication. Hopefully you are able to take advantage of that. However, non-SSO users will definitely need this to be handled and we agree that it is necessary.
Please do check out our new "Roadmap" as we will be shutting down this site and focusing our conversations regarding features there: https://github.com/AutoElevate/roadmap#readme
Comment actions
Please sign in to leave a comment.
Comments
1 comment