Future major features

User account security improvements

 
This discussion has been locked because a year has elapsed since the last post. Please start a new discussion topic.
Picture of Petr Skoda
User account security improvements
Group Core developersGroup Documentation writersGroup Plugin developers

Hi,

I have just submitted a few security related issues for peer-review. The patches are based on existing code from Totara LMS.

I am looking for feedback especially from administrators. If you like these new features please vote for them.

List of proposed new features:

  • MDL-47800 Logout user when somebody changes their password
  • MDL-47803 New page that shows all browser sessions of current user
  • MDL-47830 Add password rotation restrictions
  • MDL-47834 New option for restriction of concurrent logins

Cheers,
Petr

 
Average of ratings: Useful (3)
Picture of Daniel Neis Araujo
Re: User account security improvements
Group Core developersGroup Particularly helpful MoodlersGroup Plugin developersGroup Translators

Hello, Petr


nice updates!


The "all browser sessions" is really useful =)


It would also be nice if user logs out in a tab it gets logged-out in all others. Are there any plans on this?


Kind regards,

Daniel

 
Average of ratings: -
Picture of Petr Skoda
Re: User account security improvements
Group Core developersGroup Documentation writersGroup Plugin developers
Hi Daniel,
the logout in one browser always affected all open tabs and windows, there is nothing to fix there in my opinion, I suppose users just need to get used to how the web browsers work.

Cheers,
Petr
 
Average of ratings: -
Picture of Daniel Neis Araujo
Re: User account security improvements
Group Core developersGroup Particularly helpful MoodlersGroup Plugin developersGroup Translators

Hello, Petr


the thing i am talking about is like the facebook feature that when you log-out in one tab, the others will be "blocked" with a message "you have logged out, please login to access this page".

The current behaviour on Moodle is that it only occurs when you try to follow a link in the page or enter another url on the location bar. But if the user does not "change pages" it will have access to content even if user logged out in another tab.


What do you think about it?

 
Average of ratings: -
Picture of Danny Wahl
Re: User account security improvements
Group Core developersGroup Plugin developers

I don't think that's really a security feature as much as it is a UX feature.  showing an AJAX pop-up when logged out in another tab just prevents the user from seeing a nasty AJAX error, or page error when trying to interact with an invalid session.

There's nothing to stop the user from having saved in any way (ctrl+s, screen shot, etc...) the information that was already on the screen.

 
Average of ratings: -
Picture of Petr Skoda
Re: User account security improvements
Group Core developersGroup Documentation writersGroup Plugin developers
Hi,

I agree with Danny, this new feature request for indication of session status is more UI related, I guess it would be implemented in the theme. The problem here is the performance cost - each open page would have to repeatedly query the server asking if session is active. If anybody decides to implement this please keep in mind that the session query script must not use standard sessions because it would break session timeouts - use NO_MOODLE_COOKIES, access the cookie id directly and look it up in sessions table.

Cheers,
Petr
 
Average of ratings: -
Tim at Lone Pine Koala Sanctuary
Re: User account security improvements
Group Core developersGroup Documentation writersGroup Particularly helpful MoodlersGroup Plugin developers

Which is presumably what Facebook, etc do. Presumably through some sort of Comet connection to the server. (http://en.wikipedia.org/wiki/Comet_(programming) )

I wonder if a time will come when most Moodle pages have a Comet connection to the server, for instant push notifications, etc.

(As probably the most experienced Moodle developer out there, I would be particularly interested to know your thoughts on that, Petr, if you have any.)

 
Average of ratings: -