View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0009265Talerlibeufin-bank-ui (SPA)public2024-10-11 11:562024-10-15 19:34
ReporterAntoine A Assigned Tosebasjm  
PrioritynormalSeverityminorReproducibilityhave not tried
Status resolvedResolutionfixed 
Product Versiongit (master) 
Target Version0.14Fixed in Version0.14 
Summary0009265: Use ephemeral session token
DescriptionDuring there security audit RadicallyOpenSecurity found two issues in how the SPA handle session tokens:
- tokens are created using the "forever" duration
- tokens are not invalidated on "Log out"

Their recommendation:
Tokens should be requested with a reasonable expiration (e.g., 30 minutes for an interactive financial application). The token should be refreshed if the user stays active, ensuring a sliding window of expiration. If the user explicitly opts to log out, the token must be invalidated on the server by invoking the delete("/accounts/{USERNAME}/token endpoint.
TagsNo tags attached.

Activities

sebasjm

2024-10-15 16:57

developer   ~0023530

commit 9a7dee809ec56bdc2aa4b33c425e3f5970692bc8
Author: Sebastian
Date: Wed Oct 9 10:47:04 2024 -0300

    delete session token after logout, session duration 30 min, refresh session on refresh window

Issue History

Date Modified Username Field Change
2024-10-11 11:56 Antoine A New Issue
2024-10-11 11:56 Antoine A Status new => assigned
2024-10-11 11:56 Antoine A Assigned To => sebasjm
2024-10-15 16:57 sebasjm Status assigned => resolved
2024-10-15 16:57 sebasjm Resolution open => fixed
2024-10-15 16:57 sebasjm Note Added: 0023530
2024-10-15 19:34 Christian Grothoff Product Version => git (master)
2024-10-15 19:34 Christian Grothoff Fixed in Version => 0.14
2024-10-15 19:34 Christian Grothoff Target Version 1.0 => 0.14