View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0008916 | Taler | libeufin-bank | public | 2024-06-09 16:53 | 2025-05-08 22:41 |
| Reporter | MarcS | Assigned To | |||
| Priority | low | Severity | feature | Reproducibility | have not tried |
| Status | confirmed | Resolution | open | ||
| Product Version | 0.12 | ||||
| Target Version | post-1.0 | ||||
| Summary | 0008916: Idle logout of demo bank website | ||||
| Description | I experienced that when trying to open bank.head.taler.net, the website showed an "internal error". Probably because my browser still sent an old session cookie but HEAD got updated. After I logged out, I could login again and it worked. ==> instead of showing some internal error, the website should directly go to the login dialog if the session is unknown (or timed out). No need to bug the user with more steps (clicking away that nasty error message plus manually logout) since they need to login anyway. ALL commercial banks do logout users after 15min idle. We should do the same, and dismiss the session after 15min without user input. Please show a count-down telling the user when the session will be terminated, and reset that back to 15 minutes on each user action. | ||||
| Tags | No tags attached. | ||||
|
|
after meeting we decided to split this into two issues: * handling http resp 400 with logout in some cases, it will be tracked with issue 0008916 * enforcing short session like a commercial bank, will be tracked with this issue, implemented server side. |
|
|
Maybe we should use a specific Taler error code for those cases |
|
|
Sure, never wrong to add more specific error codes. |
|
|
If we implement it client-side (SPA), it can be bypassed by a custom client and doesn't really fix anything. From the user PoV it's better for the session to be kept as long as possible so it doesn't need to input the password again and again (unless this bring security problem). If we implement it server-side, this would mean restricting the duration of all tokens created by common users (even the "forever" ones). Since we still need real "forever" tokens for exchange, merchant, anastasis, etc., so I suggests to only apply this to non-exchange users. Marked as post-1.0 nice to have |
|
|
Sebastian: logout of idle sessions is sometimes a *legal* requirement. And the fact that users can bypass this via a custom SPA is hardly an argument, as it presumably protects their sessions from being stolen. |
|
|
I suggest we implement this at the same time when we fix 0009572 as the same logic should apply. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2024-06-09 16:53 | MarcS | New Issue | |
| 2024-06-09 16:53 | MarcS | Status | new => assigned |
| 2024-06-09 16:53 | MarcS | Assigned To | => sebasjm |
| 2024-06-09 16:56 | MarcS | Description Updated | |
| 2024-06-12 18:37 | sebasjm | Priority | normal => low |
| 2024-06-12 18:37 | sebasjm | Severity | major => minor |
| 2024-06-12 18:37 | sebasjm | Target Version | 0.12 => 0.13 |
| 2024-06-13 18:16 | sebasjm | Assigned To | sebasjm => Antoine A |
| 2024-06-13 18:16 | sebasjm | Category | Web site(s) => libeufin-bank |
| 2024-06-13 18:18 | sebasjm | Relationship added | related to 0008942 |
| 2024-06-13 18:28 | sebasjm | Note Added: 0022597 | |
| 2024-06-16 16:58 | Antoine A | Status | assigned => feedback |
| 2024-06-16 16:58 | Antoine A | Note Added: 0022621 | |
| 2024-07-26 00:06 | Christian Grothoff | Note Added: 0022850 | |
| 2024-07-28 21:49 | Christian Grothoff | Severity | minor => feature |
| 2024-08-05 15:30 | sebasjm | Target Version | 0.13 => post-1.0 |
| 2024-08-05 15:32 | sebasjm | Note Added: 0022921 | |
| 2025-05-08 22:39 | Christian Grothoff | Note Added: 0024853 | |
| 2025-05-08 22:40 | Christian Grothoff | Relationship added | related to 0009572 |
| 2025-05-08 22:41 | Christian Grothoff | Note Added: 0024854 | |
| 2025-05-08 22:41 | Christian Grothoff | Assigned To | Antoine A => |
| 2025-05-08 22:41 | Christian Grothoff | Status | feedback => confirmed |
