Uploaded image for project: 'jUDDI'
  1. jUDDI
  2. JUDDI-559

Authentication Tokens do not expire

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.1.4
    • Fix Version/s: 3.1.5
    • Component/s: None

      Description

      This is a potential security vulnerability. Tokens issued by the Security API do not expire. This increases the chances if a token could be obtained through a man in the middle attack or through session hijacking that the stolen token could be used to impersonate the user.

      Suggestion, assign expiration timestamps to tokens that is administrator configurable. Default setting should be about 15 minutes.

        Attachments

        1. ExpiringAuthTokens.patch
          16 kB
          Alex O'Ree
        2. revised Expiration patch.patch
          8 kB
          Alex O'Ree

          Activity

            People

            • Assignee:
              kstam Kurt T Stam
              Reporter:
              spyhunter99 Alex O'Ree
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: