Why can we not stay logged in?

On Fri, 14 Sep 2012 16:46:01 +0000, nrickert wrote:

> I have to login after 8 hours, even if there was a lot of activity, with
> the most recent activity perhaps only 30 minutes earlier.

This should not actually be the case - 8 hours of inactivity in a session
(but defined as inactivity related to accessing a protected resource,
which is going to be either a private forum, posting a reply, or posting
a new message).

But everyone’s use case is different - myself, I spend hours logged into
Bugzilla for work related reasons. Those who process bugs tend to do
that.

Ultimately, there are two (possibly more) considerations to be made.
First, that the project opted to use this user data store for a common
login between services.

Second, not everyone’s use case is going to be the same, so customizing
the interface to accommodate multiple conflicting use cases isn’t going
to happen.

Take, for example, the use case of a user who doesn’t want to maintain
multiple different logins for different parts of the openSUSE project -
because remembering multiple login IDs and passwords for those different
parts is too difficult - and perhaps someone has registered their user ID
on the forums.

Or the user case of a user who posts in a forum, then goes to report a
bug based on a discussion in the forums. It’s “inconvenient” for that
user to have to log in to bugzilla in order to report their bug or to
update it after new information comes out in the forum.

My own use case for the forums is quite different, as it would be for
staff. The ability to perform administrative tasks means that there is a
higher security need for those of us who do that, otherwise someone with
access to the forums though one of our accounts could really hork things
up for everyone.

So I tend to access the forums myself only when performing administrative
tasks (I use NNTP primarily otherwise), and I log off the forums (and all
openSUSE/Novell/NetIQ/SUSE resources consequently) when I’m done.

There are certainly pragmatic reasons why it isn’t going to change more
than it has - as I stated, we recognized that 2 hours was far too short a
time for most users, and we’ve upped the timeout accordingly to something
that those who manage the data could live with. The project desired a
common authentication mechanism for all services that involve uniquely
identifying individuals, and that system was in place and used by SUSE
already.

Should the project decide that the cons outweigh the pros, of course that
would affect the forums, and we’d look at migrating to another
authentication mechanism. But such a decision wouldn’t be made lightly,
nor would it be made (I would hope) without regard to the disruption that
would be caused by forcing all users registered with the system(s) to re-
register and re-validate who they are.

Ultimately, I’m going to redirect everyone in this discussion to the
sticky entitled “Why we won’t implement your suggestion”. While that
post generally applies to interface tweaks and the like, the core also
applies to the underlying security architecture.

We do appreciate the feedback, of course. But it’s important to
understand that not everything is as simple as it looks like it should
be, and while we have made accommodation to increase the timeout,
removing it really isn’t an option at this stage.

Jim

–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

Eight hours is a long time (you can set the alarm to wake up before that :)) Thirty minutes is a long period of inactivity (I know there are long distractions) logging in again isn’t that hard [on a good day]. However I agree with your other points.

On 2012-09-14 17:54, Jim Henderson wrote:
> On Fri, 14 Sep 2012 11:58:07 +0000, Carlos E. R. wrote:

> Carlos, you’re bikeshedding.

No, Jim, I’m not, but you are too involved and you do not see the other side of the argument;
you appear to take it as some kind of attack, and that is far from my intention.

I do understand why the forum login is how it is, and that it is not going to change. But I
think that the original decision to use the same login as for bugzilla was a mistake. It
doesn’t affect me, anyway.

I will leave the discussion because I don’t want to distress you more.

–
Cheers / Saludos,

Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)

On Fri, 14 Sep 2012 21:58:07 +0000, Carlos E. R. wrote:

> On 2012-09-14 17:54, Jim Henderson wrote:
>> On Fri, 14 Sep 2012 11:58:07 +0000, Carlos E. R. wrote:
>
>> Carlos, you’re bikeshedding.
>
> No, Jim, I’m not, but you are too involved and you do not see the other
> side of the argument;

I do see the other side of the argument. I’ve tried to explain why
things are the way they are and why they’re not likely to change.

> you appear to take it as some kind of attack, and that is far from my
> intention.

Far from it.

> I do understand why the forum login is how it is, and that it is not
> going to change. But I think that the original decision to use the same
> login as for bugzilla was a mistake. It doesn’t affect me, anyway.

Which is essentially the definition of “bikeshedding” - you know why
things are the way they are, you know that it’s not likely to change, but
you want to continue to revisit the original decision and talk about it/
debate it even though the discussion isn’t going to affect anything
because the decision is out of your hands and mine.

Even if I agreed that it made sense to change it, that wouldn’t change
that it isn’t likely to change.

I’ve only been doing network security for ~20 years, and while my view
certainly isn’t the only view on how security should be done, I do have
both the background and the knowledge of how things are set up in the
openSUSE infrastructure regarding authentication to speak from a position
of some knowledge on the topic.

Jim

Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

I read this because I was utterly bored. I come to the conclusion that youall are utterly bored too.

On 2012-09-15 01:13, Jim Henderson wrote:
> On Fri, 14 Sep 2012 21:58:07 +0000, Carlos E. R. wrote:

I said I would not answer and I will not.

–
Cheers / Saludos,

Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)

Jim Henderson wrote:
> My own use case for the forums is quite different, as it would be for
> staff. The ability to perform administrative tasks means that there is a
> higher security need for those of us who do that, otherwise someone with
> access to the forums though one of our accounts could really hork things
> up for everyone.
>
> So I tend to access the forums myself only when performing administrative
> tasks (I use NNTP primarily otherwise), and I log off the forums (and all
> openSUSE/Novell/NetIQ/SUSE resources consequently) when I’m done.

The text above illustrates very well the problem everybody is
describing. Significantly, IMO, it nowhere includes the word ‘role’,
which is screaming to be heard.

The security policy is set to be appropriate for administrative actors
and is set for good reasons for those actors, AFAICT.

It is also clearly set to be too strict for ordinary users, as witness
the continuing ‘bikeshedding’ as you call it. Perhaps your own usage of
the ‘workaround’ - NNTP - also illustrates this, but maybe that’s just
preference.

So at present the administrative tail is wagging the community dog.

Even something as ancient as UNIX split the role of ordinary user from
that of administrator.

Even ordinary users may well close their browser a lot more frequently
than they wish to close their forum session. If they have a higher
security role - say that of bank customer, or perhaps even employee or
administrator of some other web-based function, they may well want to
close their browser before and/or after such a session.

On Mon, 17 Sep 2012 10:31:42 +0000, Dave Howorth wrote:

> It is also clearly set to be too strict for ordinary users, as witness
> the continuing ‘bikeshedding’ as you call it. Perhaps your own usage of
> the ‘workaround’ - NNTP - also illustrates this, but maybe that’s just
> preference.

Yes, that’s just a preference - I’ve been using NNTP and text-based
message systems for much longer than web-based forums have been around.

I find it works best for my way of working.

Thanks for your input.

Jim

–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

There’s one point I want to clarify:

The session timeout is designed to be an “idle” timeout, which means that it applies only if you have not done anything in the site for that session period. I am aware of an issue where if you are browsing around the public portions of forums, even when authenticated, the SSO service is not resetting your idle timeout as one might expect it to. The end result is that you are being treated by the system as idle when you shouldn’t be, and you could lose your session unexpectedly after 6-8 hours. We are considering this a bug that needs to be addressed. The issue is a little complex, but we are discussing a couple of possible solutions that will make it so you have to be truly idle in order to lose your session.

Thanks for making that clarification Matthew. If this issue can be corrected with the idle timeout, I think the many arguments made here about the session timeouts would be nullified

Nullified? I hope you meant “satisfied”.

Nullified? I hope you meant “satisfied”.

Both infact. It means less reason to complain, and that’s a good thing.

I think it should resolve or at least help with most of the complaints. It won’t make it so that you can close your browser and stay authenticated, but I think that’s a good thing. It’s a horrible security practice, as most people have it pretty well ingrained that closing the browser is the easiest way to terminate your sessions. Not terminating a session would be violating a reasonable expectation on the part of the user.

The only reasonable way to do it would be an option that you can check (like Google and Yahoo! do), so that the user can opt in and be well aware of the functionality. However, that would be a nightmare to integrate into our SSO system.

Maybe in your role that is so. However nullifying a complaint [or its arguments] may not satisfy it, and so keeps coming back.

What about the situation where the browser is left open, but the system is shut down. On reboot, once the DE is established, and the browser restores previous session, is the user authenticated (logged in) or not? Before the common login/security, it was possible to do it in that situation.

Maybe in your role that is so. However nullifying a complaint [or its arguments] may not satisfy it, and so keeps coming back.

I believe the changes being made are in the right direction. I’m a forum user, just like you.

It won’t make it so that you can close your browser and stay authenticated, but I think that’s a good thing. It’s a horrible security practice, as most people have it pretty well ingrained that closing the browser is the easiest way to terminate your sessions. Not terminating a session would be violating a reasonable expectation on the part of the user.]

Very true.

If you are referring to the fixing of the bug preventing the session limit from working properly, then I agree that would indeed be progress. I’m used to being automatically logged out if I close my browser on other systems (e.g online banking needing best security), so I expect the session to be terminated here in that specific case.

MatthewEhle wrote:
> It won’t make it so that you can close your browser and stay
> authenticated, but I think that’s a good thing. It’s a horrible
> security practice, as most people have it pretty well ingrained that
> closing the browser is the easiest way to terminate your sessions. Not
> terminating a session would be violating a reasonable expectation on the
> part of the user.
>
> The only reasonable way to do it would be an option that you can check
> (like Google and Yahoo! do), so that the user can opt in and be well
> aware of the functionality.

Unfortunately, it’s not just Google and Yahoo that do that. Every forum
of which I’m a member, apart from this one, does it. So the reasonable
expectation on the part of this user, and I strongly suspect other
users, is that forums should [provide the checkbox to] keep the session
open. So it is this forum that violates my expectation.

> However, that would be a nightmare to integrate into our SSO system.

That is a real reason either not to make any change or to separate the
forum from the SSO. But it is not a reason to defend the status quo in
principle, IMHO.

Although my expectation now is that the session is closed on browser close, that checkbox feature would indeed be useful here.