Welcome to Geeklog, Anonymous Monday, September 16 2024 @ 03:24 pm EDT
Geeklog Forums
Preventing unauthorized access
barclay
Anonymous
Is there a hack for a security right that restricts user's ability to change the cookietimeout? Alternately, is there a hack to force "Don't remember me" if the IP address is not in a list of known safe addresses?
My site contains sensitive information and I don't want someone forgetting to close their session when using a public computer. I set the $_CONF['session_cookie_timeout'] value to 15 minutes which seems to do what I want. If someone just walks away, at least the session will close after 15 minutes. Ideally, I'd like the browser to automatically redirect to a login page at session timeout, but I don't know how to do that.
I've determined experimentally that the cookietimeout user's field overrides the session timeout. That is, if the user modifies their account information to set the cookietimeout to 1 hour, the session doesn't timeout after 15 minutes as desired. I believe I know how to modify usersettings.php and create a new cookietimeout.thtml to get the job done, but thought there might already be a hack out there.
Alternately, I could have an array of safe IP address such that the cookietimeout value is essentially ignored if the current IP address is not safe. In this case I only change the lang_cooktime_text variable to explain that the "Remember me for" only applies to safe IP addresses.
Also relevant to the subject of preventing unauthorized access, I modified auth.inc.php and loginform.thtml to include the attribute autocomplete="off" for the login form so that browsers don't cache passwords. That appears to work.
Thanks,
Barclay
My site contains sensitive information and I don't want someone forgetting to close their session when using a public computer. I set the $_CONF['session_cookie_timeout'] value to 15 minutes which seems to do what I want. If someone just walks away, at least the session will close after 15 minutes. Ideally, I'd like the browser to automatically redirect to a login page at session timeout, but I don't know how to do that.
I've determined experimentally that the cookietimeout user's field overrides the session timeout. That is, if the user modifies their account information to set the cookietimeout to 1 hour, the session doesn't timeout after 15 minutes as desired. I believe I know how to modify usersettings.php and create a new cookietimeout.thtml to get the job done, but thought there might already be a hack out there.
Alternately, I could have an array of safe IP address such that the cookietimeout value is essentially ignored if the current IP address is not safe. In this case I only change the lang_cooktime_text variable to explain that the "Remember me for" only applies to safe IP addresses.
Also relevant to the subject of preventing unauthorized access, I modified auth.inc.php and loginform.thtml to include the attribute autocomplete="off" for the login form so that browsers don't cache passwords. That appears to work.
Thanks,
Barclay
6
6
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
You could replace the dropdown with a hidden input field in the template file. That would disable it for all users and force them to use the timeout you set in that input field.
To make that an option based on the IP address, you would have to modify the code for the usersettings.
bye, Dirk
To make that an option based on the IP address, you would have to modify the code for the usersettings.
bye, Dirk
7
6
Quote
All times are EDT. The time is now 03:24 pm.
- Normal Topic
- Sticky Topic
- Locked Topic
- New Post
- Sticky Topic W/ New Post
- Locked Topic W/ New Post
- View Anonymous Posts
- Able to post
- Filtered HTML Allowed
- Censored Content