Moodle in English: User account security improvements

User account security improvements

by Petr Skoda - Friday, October 24, 2014, 9:09 AM

Hi,

I have just submitted a few security related issues for peer-review. The patches are based on existing code from Totara LMS.

I am looking for feedback especially from administrators. If you like these new features please vote for them.

List of proposed new features:

MDL-47800 Logout user when somebody changes their password
MDL-47803 New page that shows all browser sessions of current user
MDL-47830 Add password rotation restrictions
MDL-47834 New option for restriction of concurrent logins

Cheers,
Petr

Re: User account security improvements

by Daniel Neis Araujo - Saturday, October 25, 2014, 1:00 AM

Hello, Petr

nice updates!

The "all browser sessions" is really useful =)

It would also be nice if user logs out in a tab it gets logged-out in all others. Are there any plans on this?

Kind regards,

Daniel

Average of ratings: -

Re: User account security improvements

by Petr Skoda - Sunday, October 26, 2014, 8:42 AM

Hi Daniel,
the logout in one browser always affected all open tabs and windows, there is nothing to fix there in my opinion, I suppose users just need to get used to how the web browsers work.

Cheers,
Petr

Average of ratings: -

Re: User account security improvements

by Daniel Neis Araujo - Sunday, October 26, 2014, 6:22 PM

Hello, Petr

the thing i am talking about is like the facebook feature that when you log-out in one tab, the others will be "blocked" with a message "you have logged out, please login to access this page".

The current behaviour on Moodle is that it only occurs when you try to follow a link in the page or enter another url on the location bar. But if the user does not "change pages" it will have access to content even if user logged out in another tab.

What do you think about it?

Average of ratings: -

Re: User account security improvements

by Danny Wahl - Monday, October 27, 2014, 9:36 AM

I don't think that's really a security feature as much as it is a UX feature. showing an AJAX pop-up when logged out in another tab just prevents the user from seeing a nasty AJAX error, or page error when trying to interact with an invalid session.

There's nothing to stop the user from having saved in any way (ctrl+s, screen shot, etc...) the information that was already on the screen.

Average of ratings: -

Re: User account security improvements

by Petr Skoda - Tuesday, October 28, 2014, 5:22 AM

Hi,

I agree with Danny, this new feature request for indication of session status is more UI related, I guess it would be implemented in the theme. The problem here is the performance cost - each open page would have to repeatedly query the server asking if session is active. If anybody decides to implement this please keep in mind that the session query script must not use standard sessions because it would break session timeouts - use NO_MOODLE_COOKIES, access the cookie id directly and look it up in sessions table.

Cheers,
Petr

Average of ratings: -

Re: User account security improvements

by Tim Hunt - Tuesday, October 28, 2014, 7:00 AM

Which is presumably what Facebook, etc do. Presumably through some sort of Comet connection to the server. (http://en.wikipedia.org/wiki/Comet_(programming) )

I wonder if a time will come when most Moodle pages have a Comet connection to the server, for instant push notifications, etc.

(As probably the most experienced Moodle developer out there, I would be particularly interested to know your thoughts on that, Petr, if you have any.)

Average of ratings: -

Future major features

User account security improvements