Page MenuHomePhabricator

Make partial sessions expire after 30 minutes, and do not extend them
ClosedPublic

Authored by epriestley on Dec 18 2018, 7:58 PM.
Tags
None
Referenced Files
F12805538: D19905.id47516.diff
Wed, Mar 27, 5:21 PM
Unknown Object (File)
Sat, Mar 23, 5:43 PM
Unknown Object (File)
Thu, Mar 21, 11:56 AM
Unknown Object (File)
Thu, Mar 21, 11:56 AM
Unknown Object (File)
Feb 24 2024, 5:12 PM
Unknown Object (File)
Feb 16 2024, 12:35 AM
Unknown Object (File)
Feb 3 2024, 8:25 PM
Unknown Object (File)
Jan 25 2024, 1:38 AM
Subscribers
None

Details

Summary

Depends on D19904. Ref T13226. Ref T13222. Currently, partial sessions (where you've provided a primary auth factor like a password, but not yet provided MFA) work like normal sessions: they're good for 30 days and extend indefinitely under regular use.

This behavior is convenient for full sessions, but normal users don't ever spend 30 minutes answering MFA, so there's no real reason to do it for partial sessions. If we add login alerts in the future, limiting partial sessions to a short lifetime will make them more useful, since an attacker can't get one partial session and keep extending it forever while waiting for an opportunity to get past your MFA.

Test Plan
  • Did a partial login (to the MFA prompt), checked database, saw a ~29 minute partial session.
  • Did a full login, saw session extend to ~30 days.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable