Open acardona opened 8 years ago
aschampion
commented
8 years ago My initial inclination is that this is the responsibility of user/operating system, especially because any implementation on our side would be inherently weak or cumbersome, but I'd be interested in hearing other opinions.
acardona
commented
8 years ago There is little we can do about user habits, but at least a soft re-login in the form of a splash screen that needs the login to access the rest of CATMAID would get us some of the way.
tomka
commented
8 years ago While I agree with @aschampion that in principle this should be the done through the operating system, I can see some benefit when doing this in CATMAID. Accidental clicks to wake a computer or putting something on a keyboard are user habits that exists and which we are unlikely to change. Clicks and key presses might alter data in CATMAID and even though undo exists, it might be hard to spot that an action was performed (and this is true for most applications/websites). This could be prevented with an auto-logout plus login dialog. If we decide to do this, such a setting should be configurable and persistent.
We already have a login dialog, but would need to make sure no new requests are made after an auto-logout before the user logs in again (to also prevent the anonymous user from doing things accidentally). Maybe this can be achieved by decorating requestQueue and throwing an exception on non-login URLs that would be ignored if there is already a re-login dialog. The last part might cause some trouble though, because not all locations where requests are made are that fault-tolerant yet.
So if this is indeed not very hard to add in a robust fashion and can also be disabled, I would vote for having something like this.
tomka
commented
8 years ago After talking with @acardona about this today, we think the following could be done pretty quickly: record the timestamp (or start a timeout) when the last request was sent that was not in a whitelist (Can be done inRequestQueue). E.g. URLs for message retrieval wouldn't be recorded. After a certain amount of time (default e.g. 15min) a screen filling DIV (white or blurry) is shown plus the option to login again. Only if the user passes uses the correct credentials the UI block goes away. Of course it should be possible to disable this permanently and configure the idle time.
This would provide at least a small barrier to not accidentally press a key or click a mouse button and it would provide some basic protection against unwanted use of one's CATMAID client. Of course the latter could prevented easily by reloading or using JavaScript. Also, it doesn't interfere with most of the code (decorating requestQueue would), but also doesn't provide the same level of security.
There are far too many computers that run CATMAID that are left unlocked. It is not an issue for us but it will be for other users. A "screensaver" that requires login to remove it would stop most malicious attempts.
To stop a determined javascript-savvy user, some internal state ought to be reset and require re-login. This would likely be require a mechanism to restore the widgets as they are.