lastuser icon indicating copy to clipboard operation
lastuser copied to clipboard

Published 20 hours ago verified publisher icon hasgeek

Password expiry

Open jace opened this issue 13 years ago • 0 comments

Some client apps may need login sessions to be shorter than browser sessions for security reasons. LastUser should:

  1. Record the datetime when a user authenticated
  2. In an app's config, add an option for session duration

When a user logs into an app with a custom session duration and the user is already logged into LastUser, LastUser should:

  1. Verify that the login datetime is more recent than the app's session time and, if not,
  2. If the user logged in with a password, ask them to re-enter the password (alone), or logout and login again, or
  3. (this is iffy) If with an external service, indicate which one and ask them to authenticate again

Point 3 is iffy. OAuth services will return without showing any UI since there is an existing token for the current user and the lastuser app. Perhaps security-sensitive apps should insist on the user having a lastuser password before they are allowed to login.

jace avatar Dec 12 '11 05:12 jace