xoa password change bug - to verify
-
@olivierlambert i Think i've found a ugly bug in xoa - today at work I've changed passwords for xoa admin user, at home I've got laptop on which I was logged in to xoa for few days, and unfortunately on my laptop I can still do anything on any server... I'm still legged in xoa despite password have changed, so not good. Can You verify that on your site?
I think that we need something that will check if the password was not changed and then will log off user in that case.
-
If you selected "Remember me" when you connected, it's not a bug, but a feature. However, you can manage the token expiration time and put a lower value.
-
It's just a way of doing token expiration. One solution to this is to have a button on the user's page to retract all tokens for a user after changing the password.
-
For me it's a "bug"... When I suspect that someone know my password I'm chanaging the password for xoa, so no one else can access the system but me.
-
Ping @julien-f
-
-
@akurzawa said in xoa password change bug - to verify:
For me it's a "bug"... When I suspect that someone know my password I'm chanaging the password for xoa, so no one else can access the system but me.
I don't think removing all tokens on password change is a good idea, XO should provide an explicit way to do this, like a big button on the user settings page, what do you think?
@akurzawa said in xoa password change bug - to verify:
where to set the token time?
You can override these settings in your xo-server's config: https://github.com/vatesfr/xen-orchestra/blob/1cdd1fa00ea2549fdebbf72da0edc91debd98908/packages/xo-server/config.toml#L36-L46
-
@julien-f said in xoa password change bug - to verify:
I don't think removing all tokens on password change is a good idea, XO should provide an explicit way to do this, like a big button on the user settings page, what do you think?
Just like facebook or gmail - when You change your password you are asked if you want to log off from all devices/sessions - maybe like that?
-
@akurzawa said in xoa password change bug - to verify:
Just like facebook or gmail - when You change your password you are asked if you want to log off from all devices/sessions - maybe like that?
Good idea, would you mind creating a ticket for this?
https://github.com/vatesfr/xen-orchestra/issues/new -
Will do. Done.
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login