Page MenuHomePhabricator

Make partial sessions expire after 30 minutes, and do not extend them
ClosedPublic

Authored by epriestley on Dec 18 2018, 7:58 PM.

Details

Summary

Depends on D19904. Ref T13226. Ref T13222. Currently, partial sessions (where you've provided a primary auth factor like a password, but not yet provided MFA) work like normal sessions: they're good for 30 days and extend indefinitely under regular use.

This behavior is convenient for full sessions, but normal users don't ever spend 30 minutes answering MFA, so there's no real reason to do it for partial sessions. If we add login alerts in the future, limiting partial sessions to a short lifetime will make them more useful, since an attacker can't get one partial session and keep extending it forever while waiting for an opportunity to get past your MFA.

Test Plan
  • Did a partial login (to the MFA prompt), checked database, saw a ~29 minute partial session.
  • Did a full login, saw session extend to ~30 days.

Diff Detail

Repository
rP Phabricator
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

epriestley created this revision.Dec 18 2018, 7:58 PM
epriestley requested review of this revision.Dec 18 2018, 8:00 PM
amckinley accepted this revision.Dec 18 2018, 11:16 PM
This revision is now accepted and ready to land.Dec 18 2018, 11:16 PM
This revision was automatically updated to reflect the committed changes.