As a user I do not want the passphrase to be flushed / session to be terminated when the browser is idle

[thorleifjacobsen]

Hi

In a workday 8 hours I have to login around 4-6 times to re-enter password. I have not ever once pressed the "Logout" button.

Can this function be more robust? It should remember even if I leave the PC off for 10 years the password. I selected "until I logout" not until it think I logged out?

I'm guessing this is due to the browser being closed. That is not a "I log out" that is "I closed the browser", we are dealing with multiple incognito windows, multiple reboots a day and it should be handled better, or be a setting to keep it logged in permanently?

[stripthis]

Hello @thorleifjaocbsen,

This behavior is intentional. Indeed when the browser is closed or the screen is inactive for sometime passbolt will not continue extending the session. We might introduce more options in the future for people who do not want this before. We are trying to strike a balance between security and usability, and there is no one size fits all unfortunately.

You can edit this behavior here user.js

browser.idle.queryState(idleInterval).then( async (idleState) => {
      if (idleState === 'active' && this._masterPassword !== null) {
        await UserService.keepSessionAlive(this);
      }
      this.setKeepAliveTimeout();
    });

and

// Observe when the window is closed, only strategy found to catch when the browser is closed.
// - Flush the temporary stored master password
browser.tabs.onRemoved.addListener((tabId, evInfo) => {
  if (evInfo.isWindowClosing) {
    const user = UserSingleton.getInstance();
    user.flushMasterPassword();
  }
});

[burasuk]

What is the state of this enhancement? In my company users thinks that this extension is completely useless because of this.

[stripthis]

@burasuk no update at the moment, we're working on other features, but we'll tackle it at some point.

[thorleifjacobsen]

Still nothing?

[seemsindie]

Bump.

Making me enter my passphrase multiple times during the day and I clicked "Remember until I log out." This renders passbolt quite unusable.

[dm2912]

Hello @thorleifjaocbsen,

This behavior is intentional. Indeed when the browser is closed or the screen is inactive for sometime passbolt will not continue extending the session. We might introduce more options in the future for people who do not want this before. We are trying to strike a balance between security and usability, and there is no one size fits all unfortunately.

You can edit this behavior here user.js

browser.idle.queryState(idleInterval).then( async (idleState) => {
      if (idleState === 'active' && this._masterPassword !== null) {
        await UserService.keepSessionAlive(this);
      }
      this.setKeepAliveTimeout();
    });

and

// Observe when the window is closed, only strategy found to catch when the browser is closed.
// - Flush the temporary stored master password
browser.tabs.onRemoved.addListener((tabId, evInfo) => {
  if (evInfo.isWindowClosing) {
    const user = UserSingleton.getInstance();
    user.flushMasterPassword();
  }
});

is user.js still a thing as i cannae find it anywhere in the extension directory (.config/chromium/default/extensions/$extensiondir)

or does a user.js have to be created from scratch?

[garrettboone]

@dm2912 It's here: https://github.com/passbolt/passbolt_browser_extension/blob/master/src/all/background_page/model/user.js

[dm2912]

@dm2912 It's here: https://github.com/passbolt/passbolt_browser_extension/blob/master/src/all/background_page/model/user.js

yeh, found that. wasnt clear entirely what to do with it, but figured it out. dropping it into the root of the extension folder .config/chrome/$user/$extensiondir it seems to act as an override

The user.js seems to have changed somewhat from the original quote. But i found that commenting out the following two lines have been enough to allow it to persist post restart of the browser

   init : function () {
      // Observe when the user session is terminated.
      // - Flush the temporary stored master password
      window.addEventListener("passbolt.auth.after-logout", () => {
        const user = UserSingleton.getInstance();
>>>>>>        //user.flushMasterPassword();
>>>>>>       //user.stopSessionKeepAlive();
      });

not quite figured out extending the idle time but i presume this section. For now i have adjusted the 15 minutes to a few hours to see if then it makes me re login the next day (im the only one with access to my machine)

  /**
   * Keep session alive if user's system is active for last 15 min
   * @returns void
   */
  this.keepAlive = function() {
>>>>>>> const idleInterval = 15 * 60; // detection interval in sec: 15 minutes
    browser.idle.queryState(idleInterval).then( async (idleState) => {
      if (idleState === 'active' && this._masterPassword !== null) {
        const apiClientOptions = await this.getApiClientOptions();
        const userService = new UserService(apiClientOptions)
        await userService.keepSessionAlive();
      }
      this.setKeepAliveTimeout();
    });
  };

[kibblewhite]

I'm experiencing the same issue here. I would like to work with Passbolt more but this is providing quite the roadblock in order for our team over at MergeLabs to demonstrate and trial run both the extension and the software. Thanks for the hard work thus far, there appear to be many hurdles to jump, but this one is a real bump in the road in an otherwise smooth-running service.

[ghost]

Would this be considered again? I think there should be a setting for keeping the session even when the browser is closed or the screen is inactive.

We moved from dashlane to passbolt in order to improve our security with the shared passwords in the team, but having to logging multiple times per day is really annoying compared to dashlane where I had the option to stay logged in for 14 days.

[TB-effective]

Just as an additional data point: We used to have this problem years ago, but for us it helped to change the following global default setting in php.ini:

session.gc_maxlifetime = 1440

(Or add the setting if it's not there, as this is also the default if it's not set at all.)

As laid out in answers to this SO question, this was originally meant to mean 1440 minutes = 24 hours and was erroneously carried over, but now means 1440 seconds = 24 minutes. To this day, nobody has bothered to fix this on the PHP side, it's still documented here to default to 1440.

This is of course ridiculously short and was never meant to be this short. Setting it instead to 43200 (12 hours) has fixed this issue for us for good.

Slightly related to this, there was this earlier passbolt issue I reported back then, where some PB front end code also assumed this setting to be minutes, leading to other misbehavior after we increased that setting. This should no longer be relevant in current PB versions though.

[Cisien]

as the only user of my computer, where my computer is in a secure environment, I would very much appreciate not having to enter my password in repeatedly. I would be very happy with an option to "remember forever".

If the concern is that people will do the least secure thing in an insecure environment, then provide an option for the passbolt instance owner to control the session lifetime.

[hegedusg]

I was looking for the mentioned code modifications and they're gone since approx. 2020. What should we modify in the latest releases? I think it's a game changer for all MSPs, since it's not realistic to type in a very long, complicated password 10 times a day. At home, in the office, at client 1, at client 2, in the office again, after coffee break (since laptop lid shut down), at home again, etc. It's not a special feature, I think all password managers have it, except for Passbolt. It's a shame. We've been investigating alternatives to Lastpass, and Passbolt will fail because of this "intentional" behavior.

[kibblewhite]

We have ended up using https://passit.io/ because of this roadblock.

[hegedusg]

Thank you. We will give it a try.

Feladó: kibblewhite @.> Válasz címzettje: passbolt/passbolt_browser_extension @.> Dátum: 2024. augusztus 22., csütörtök 2:36 Címzett: passbolt/passbolt_browser_extension @.> Másolatot kap: @." @.>, Comment @.> Tárgy: Re: [passbolt/passbolt_browser_extension] As a user I do not want the passphrase to be flushed / session to be terminated when the browser is idle (#90)

We have ended up using https://passit.io/ because of this roadblock.

— Reply to this email directly, view it on GitHubhttps://github.com/passbolt/passbolt_browser_extension/issues/90#issuecomment-2303350845, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AIYIFL7WA6IQIYYECZMMLH3ZSUXAPAVCNFSM6AAAAABJXKHMUCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMBTGM2TAOBUGU. You are receiving this because you commented.Message ID: @.***>

[cedricalfonsi]

As of today, the session is not terminated when the browser is idle, so this issue can be considered resolved in that context.

However, the session does expire if the laptop goes into idle mode for a period longer than the session duration. In such cases, the extension cannot contact the server to extend the session. This issue can be addressed by extending the session duration if you have administrative access to the server running the API. For more information, you can refer to this documentation: How to Increase Auto-Logout Time.

I’m closing this ticket as the original issue has been resolved for some time now.

[stripthis]

We'll investigate improving the session handling in v5, e.g. provide an auto re-login if the passphrase is still known by the browser extension but the session is expired. This means people will still be logged out when closing their browser or when the browser extension / browser is updating, but that should be less frequent than now.