We wanted to add another layer of security by ensuring sessions are closed in STORJ DCS automatically when not in use
Test Scenario
Test Case
Description
Comments
Cookie Handling
Session ID
When user logs in and creates a new session, there should be a signed session ID in a cookie
Request Authorization
With a signed session ID in a cookie, there should be a request to receive the session from the WebappSessions table w/ the given session ID in the cookie
Authorization 1
First the session checked if NotFound or ExpiresAt has passed from the new table given the session ID in the cookie, then the cookie is deleted and request is not authorized
Authorization 2
Second, if there were no issues with authorization from the previous step and if the session is valid from the new table given the session ID in the cookie, then the User struct should be received from the database using the UserID in the session
Logout- Delete Session
If logout endpoint is called, then session should be deleted from database
Cookie Deletion
Cookie should be deleted only after session is deleted from database
Inactivity Timeout
Session should be invalidated if user is inactive for a set period of time
Closing the Browser
A session should be invalidated once the user closes their browser for a session
New IP Address
If a session is created from a new IP(different than previous session), then there should be two-factor authentication to verify the user
Valid Authorization
If the session is valid from the new table given the session ID in the cookie, then User struct should be received from the database using the UserID in the session
Multiple Sessions
Logout- Delete Session
If a user is logged into multiple sessions, then all sessions should be invalidated once the user logs out from one of the sessions
Reset Password
If a user resets their password, then all sessions should be invalidated once the user successfully resets their password
Inactivity Timeout
Regardless of how many sessions there are, if there is inactivity in one sessions then all sessions should be invalidated for security purposes
Closing the Browser
Regardless of how many sessions there are all sessions should be invalidated once the user closes the browser used for a session
Yup, should clarify that this is super high level, so everything you listed should be covered in inactivity timeout! (downloading or uploading atm should count as being active in this case)
Any ETA as to when a fix will be implemented? I tried to upload some files this afternoon, but the system automatically logged me out before the uploading process is finished due to the new session timeout management.
The web interface was not intended for daily usage or upload big files. While you waiting for a release, you may use Cyberduck or FileZilla, rclone or uplink.
Which browser are you using? I’ve just tested a workaround using Chrome and the ‘Tab Reloader’ extension…
Open a separate tab on the main dashboard page
Set the dashboard tab to reload every 30 seconds (thus keeping the session active)
On the main tab set your uploads running
Ignore any errors as uploads will continue in the background
Hmm, I tried using Filezilla just recently, but the upload speed is just bad. Without FTP client, my normal upload speed is around 1-2 MBPS, but when using Filezilla, my speed dropped to around 30-50 KBPS max.
In the meantime, the session timeout has been enabled on all production satellites. A big file upload will continue refreshing the session. So the countdown will start after the upload finishes. Same for downloads.