Differential D19905

Make partial sessions expire after 30 minutes, and do not extend them
ClosedPublic
Actions

Authored by epriestley on Dec 18 2018, 7:58 PM.

Tags

None

Referenced Files

	Unknown Object (File)
	Wed, Apr 24, 11:08 PM

	Unknown Object (File)
	Tue, Apr 23, 6:02 PM

	Unknown Object (File)
	Mon, Apr 8, 2:47 AM

	Unknown Object (File)
	Sat, Mar 30, 7:13 AM

	Unknown Object (File)
	Wed, Mar 27, 5:21 PM

	Unknown Object (File)
	Mar 23 2024, 5:43 PM

	Unknown Object (File)
	Mar 21 2024, 11:56 AM

	Unknown Object (File)
	Mar 21 2024, 11:56 AM

Subscribers

None

Details

Reviewers

Maniphest Tasks

T13222: 2018 Week 48-51 Bonus Content
T13226: Consider login/session alerts, and other security alerts (for example, around MFA)

Commits

rPca39be60914b: Make partial sessions expire after 30 minutes, and do not extend them

Summary

Depends on D19904. Ref T13226. Ref T13222. Currently, partial sessions (where you've provided a primary auth factor like a password, but not yet provided MFA) work like normal sessions: they're good for 30 days and extend indefinitely under regular use.

This behavior is convenient for full sessions, but normal users don't ever spend 30 minutes answering MFA, so there's no real reason to do it for partial sessions. If we add login alerts in the future, limiting partial sessions to a short lifetime will make them more useful, since an attacker can't get one partial session and keep extending it forever while waiting for an opportunity to get past your MFA.

Test Plan

Did a partial login (to the MFA prompt), checked database, saw a ~29 minute partial session.
Did a full login, saw session extend to ~30 days.

Diff Detail

Repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

epriestley created this revision.Dec 18 2018, 7:58 PM

Harbormaster completed remote builds in B21370: Diff 47516.Dec 18 2018, 8:00 PM

epriestley requested review of this revision.Dec 18 2018, 8:00 PM

epriestley added a child revision: D19906: Fix a double-prompt for MFA when recovering a password account.Dec 18 2018, 8:04 PM

amckinley accepted this revision.Dec 18 2018, 11:16 PM

This revision is now accepted and ready to land.Dec 18 2018, 11:16 PM

Closed by commit rPca39be60914b: Make partial sessions expire after 30 minutes, and do not extend them (authored by epriestley). · Explain WhyDec 28 2018, 8:17 AM

This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

Path

Size

src/

applications/

auth/

engine/

PhabricatorAuthSessionEngine.php

61 lines

storage/

PhabricatorAuthSession.php

8 lines

Diff 47593

src/applications/auth/engine/PhabricatorAuthSessionEngine.php

Loading...

src/applications/auth/storage/PhabricatorAuthSession.php

Loading...