[JUDDI-559] Authentication Tokens do not expire - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 3.1.4
Fix Version/s: 3.1.5
Component/s: None
Labels:
- authentication
- security

Description

This is a potential security vulnerability. Tokens issued by the Security API do not expire. This increases the chances if a token could be obtained through a man in the middle attack or through session hijacking that the stolen token could be used to impersonate the user.

Suggestion, assign expiration timestamps to tokens that is administrator configurable. Default setting should be about 15 minutes.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

revised Expiration patch.patch
03/Mar/13 19:31
8 kB
Alex O'Ree
ExpiringAuthTokens.patch
02/Mar/13 04:02
16 kB
Alex O'Ree

Activity

People

Assignee:: Kurt Stam

Reporter:: Alex O'Ree

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 01/Mar/13 01:14

Updated:: 04/Mar/13 20:16

Resolved:: 04/Mar/13 19:21