-
Notifications
You must be signed in to change notification settings - Fork 965
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Login/2FA trust device #8033
Comments
Some initial questions on this one:
|
If you are asking me:
|
To (1), in talking with @di, 30 days seems to be a reasonable time frame for now. Implementing this should just require storing the relevant session auth cookie information in a Postgres database as opposed to Redis (where it's currently stored for 12 hour expiration lifetime sessions, see warehouse/sessions.py), since that will guarantee that the session information can be stored for those 30 days (Redis is an in-memory db, so doesn't guarantee that). For (2), the main concern is whether you could take a session auth cookie from one device, put it on another, and have it authenticate on the other device. If this isn't really a concern, or session cookies as they're implemented in warehouse/sessions.py already somehow handle this, then it should be fine to leave as is. Other risks are users who are not the intended user having access to a browser with those session cookies on them (e.g. cookie dropped on a public library computer, intended user leaves and forgets to explicitly log out, another user sits down and is already logged in). There's not much we can do to get around that outside of warning the user when clicking "Remember me" that they should be on a private computer. Finally, and this should probably be filed as a separate issue, is that we should always require to re-authenticate any time "important" or "destructive" actions are done if the user hasn't authenticated recently (say in the last 15 minutes). This includes:
Most of these are done in the accounts page, but will require some work to make sure that all the right endpoints are protected by an authentication page. |
While obviously not-as-spec'ed, I would look the other way for a prototype/performance reasons, if you'd stick with Redis (unless it goes into maintenance too much).
I am about to do this exact thing, now that I am migrating from my old, to my new system. It saves a lot of trouble to re-trust and disavow devices. You could counteract this by minimizing valid login time to ~4h (or whatever your site statistics say it is safe to change this value to). |
@ewdurbin you said in chat:
Can you go into more detail here? |
Just realized this is a duplicate of #5867, so closing in favor of that issue. |
Whatever makes the issue move forward 😄 |
What's the problem this feature will solve?
Short (?) login sessions and not trusted devices make non Yubikey authentications lengthy (Ofc, if your Yubikey is e.g. in your keychain, you also need to fetch it every time).
Describe the solution you'd like
Introduce the notion of "Keep me signed in" or "Trust this device and don't ask 2FA for it again".
Additional context
A lot of major services do it, I cannot see the reason (besides time and effort) not to be included.
The text was updated successfully, but these errors were encountered: