search

google / grr

GRR Rapid Response: remote live forensics for incident response
https://grr-doc.readthedocs.io/
Apache License 2.0
4.69k stars 759 forks source link

Admin UI logout or session timeout setting #162

Closed dptom closed 9 years ago

dptom commented 9 years ago

I've had a bit of an issue with the admin sessions surviving browser closure. Where is the timeout setting for the grr server or can we put a logout on to the page? I've noticed that the admin session remains in place when the network connection is broken (because of this crappy wireless network in EWR - and my VPN). Thoughts. I'll check the developer documentation and see if this is something I can easily add.

scudette commented 9 years ago

There is no such thing as an "admin session" - the web app simply uses basic auth to authenticate to the server. The UI does not use cookies or a session per-se. The lifetime of the basic auth depends on the browser.

http://stackoverflow.com/questions/5957822/how-to-clear-basic-authentication-details-in-chrome

On 21 April 2015 at 00:44, dptom notifications@github.com wrote:

I've had a bit of an issue with the admin sessions surviving browser closure. Where is the timeout setting for the grr server or can we put a logout on to the page? I've noticed that the admin session remains in place when the network connection is broken (because of this crappy wireless network in EWR - and my VPN). Thoughts. I'll check the developer documentation and see if this is something I can easily add.

— Reply to this email directly or view it on GitHub https://github.com/google/grr/issues/162.

dptom commented 9 years ago

Okay. I'm just thinking it would be nice to have a logout link or control on every screen so that when we're using a browser like Firefox or Safari ( I know these may be evil words for Google, but some companies don't let us use that browser ) we can kill the login session. I may be over-simplifying, but I'm thinking of adding a logout link next to the API in the footer and firing a js to tell Django to logout. Not certain if it will work, but thought I'd give it a try.

— Tom Arnold, CISSP, ISSMP, CFS, PCI/PA QSA, Visa SA, PCI PFI, GCFE Principal, Head of Digital Forensics

Payment Software Company (PSC) 591 W. Hamilton Ave. | Suite 200 | Campbell | CA 95008 | USA

email tom@paysw.com | web www.paysw.com tel. +1.408.228.0961 x 102 | mobile +1.408.406.1758 | fax +1.408.340.5433

This e-mail message is for the sole use of the intended recipient and may contain confidential and privileged information of Payment Software Company, Inc. (PSC). Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

On Apr 20, 2015, at 6:56 PM, Michael Cohen notifications@github.com wrote:

There is no such thing as an "admin session" - the web app simply uses basic auth to authenticate to the server. The UI does not use cookies or a session per-se. The lifetime of the basic auth depends on the browser.

http://stackoverflow.com/questions/5957822/how-to-clear-basic-authentication-details-in-chrome

On 21 April 2015 at 00:44, dptom notifications@github.com wrote:

I've had a bit of an issue with the admin sessions surviving browser closure. Where is the timeout setting for the grr server or can we put a logout on to the page? I've noticed that the admin session remains in place when the network connection is broken (because of this crappy wireless network in EWR - and my VPN). Thoughts. I'll check the developer documentation and see if this is something I can easily add.

— Reply to this email directly or view it on GitHub https://github.com/google/grr/issues/162.

— Reply to this email directly or view it on GitHub.

pidydx commented 9 years ago

From an older issue. https://github.com/google/grr/issues/24

dptom commented 9 years ago

Thanks.... This answered my question. Thank you. I searched through the issues, but didn't come up with this. Please close out my issue as I'll look at my own authentication implementation as suggested.

Best,

— Tom Arnold, CISSP, ISSMP, CFS, PCI/PA QSA, Visa SA, PCI PFI, GCFE Principal, Head of Digital Forensics

Payment Software Company (PSC) 591 W. Hamilton Ave. | Suite 200 | Campbell | CA 95008 | USA

email tom@paysw.com | web www.paysw.com tel. +1.408.228.0961 x 102 | mobile +1.408.406.1758 | fax +1.408.340.5433

This e-mail message is for the sole use of the intended recipient and may contain confidential and privileged information of Payment Software Company, Inc. (PSC). Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

On Apr 20, 2015, at 9:33 PM, Sean Gillespie notifications@github.com wrote:

From an older issue. #24

— Reply to this email directly or view it on GitHub.

pidydx commented 9 years ago

No problem! I just remembered it from before and I had to dig for it a bit myself. For your own auth you will implement a class in gui/webauth.py b/gui/webauth.py and then just configure GRR to use that class instead of the default. I can't close the issue, but I think you should have a close button or maybe one of the others can get it.

dptom commented 9 years ago

Excellent. Thanks

Tom Arnold Principal PSC

Prepared on iPhone, so please excuse any typos.... Autocorrect sometimes becomes over zealous

On Apr 20, 2015, at 22:13, Sean Gillespie notifications@github.com wrote:

No problem. I just remembered it from before and I had to dig for it a bit myself. For your own auth you will implement a class in gui/webauth.py b/gui/webauth.py and then just configure GRR to use that class instead of the default.

— Reply to this email directly or view it on GitHub.