passbolt_browser_extension
passbolt_browser_extension copied to clipboard
passbolt
As a user I do not want the passphrase to be flushed / session to be terminated when the browser is idle
Hi
In a workday 8 hours I have to login around 4-6 times to re-enter password. I have not ever once pressed the "Logout" button.
Can this function be more robust? It should remember even if I leave the PC off for 10 years the password. I selected "until I logout" not until it think I logged out?
I'm guessing this is due to the browser being closed. That is not a "I log out" that is "I closed the browser", we are dealing with multiple incognito windows, multiple reboots a day and it should be handled better, or be a setting to keep it logged in permanently?
Hello @thorleifjaocbsen,
This behavior is intentional. Indeed when the browser is closed or the screen is inactive for sometime passbolt will not continue extending the session. We might introduce more options in the future for people who do not want this before. We are trying to strike a balance between security and usability, and there is no one size fits all unfortunately.
You can edit this behavior here user.js
browser.idle.queryState(idleInterval).then( async (idleState) => {
if (idleState === 'active' && this._masterPassword !== null) {
await UserService.keepSessionAlive(this);
}
this.setKeepAliveTimeout();
});
and
// Observe when the window is closed, only strategy found to catch when the browser is closed.
// - Flush the temporary stored master password
browser.tabs.onRemoved.addListener((tabId, evInfo) => {
if (evInfo.isWindowClosing) {
const user = UserSingleton.getInstance();
user.flushMasterPassword();
}
});
What is the state of this enhancement? In my company users thinks that this extension is completely useless because of this.
@burasuk no update at the moment, we're working on other features, but we'll tackle it at some point.
Bump.
Making me enter my passphrase multiple times during the day and I clicked "Remember until I log out." This renders passbolt quite unusable.
Hello @thorleifjaocbsen,
This behavior is intentional. Indeed when the browser is closed or the screen is inactive for sometime passbolt will not continue extending the session. We might introduce more options in the future for people who do not want this before. We are trying to strike a balance between security and usability, and there is no one size fits all unfortunately.
You can edit this behavior here
user.jsbrowser.idle.queryState(idleInterval).then( async (idleState) => { if (idleState === 'active' && this._masterPassword !== null) { await UserService.keepSessionAlive(this); } this.setKeepAliveTimeout(); });and
// Observe when the window is closed, only strategy found to catch when the browser is closed. // - Flush the temporary stored master password browser.tabs.onRemoved.addListener((tabId, evInfo) => { if (evInfo.isWindowClosing) { const user = UserSingleton.getInstance(); user.flushMasterPassword(); } });
is user.js still a thing as i cannae find it anywhere in the extension directory (.config/chromium/default/extensions/$extensiondir)
or does a user.js have to be created from scratch?
@dm2912 It's here: https://github.com/passbolt/passbolt_browser_extension/blob/master/src/all/background_page/model/user.js
@dm2912 It's here: https://github.com/passbolt/passbolt_browser_extension/blob/master/src/all/background_page/model/user.js
yeh, found that. wasnt clear entirely what to do with it, but figured it out. dropping it into the root of the extension folder .config/chrome/$user/$extensiondir it seems to act as an override
The user.js seems to have changed somewhat from the original quote. But i found that commenting out the following two lines have been enough to allow it to persist post restart of the browser
init : function () {
// Observe when the user session is terminated.
// - Flush the temporary stored master password
window.addEventListener("passbolt.auth.after-logout", () => {
const user = UserSingleton.getInstance();
>>>>>> //user.flushMasterPassword();
>>>>>> //user.stopSessionKeepAlive();
});
not quite figured out extending the idle time but i presume this section. For now i have adjusted the 15 minutes to a few hours to see if then it makes me re login the next day (im the only one with access to my machine)
/**
* Keep session alive if user's system is active for last 15 min
* @returns void
*/
this.keepAlive = function() {
>>>>>>> const idleInterval = 15 * 60; // detection interval in sec: 15 minutes
browser.idle.queryState(idleInterval).then( async (idleState) => {
if (idleState === 'active' && this._masterPassword !== null) {
const apiClientOptions = await this.getApiClientOptions();
const userService = new UserService(apiClientOptions)
await userService.keepSessionAlive();
}
this.setKeepAliveTimeout();
});
};
I'm experiencing the same issue here. I would like to work with Passbolt more but this is providing quite the roadblock in order for our team over at MergeLabs to demonstrate and trial run both the extension and the software. Thanks for the hard work thus far, there appear to be many hurdles to jump, but this one is a real bump in the road in an otherwise smooth-running service.
Would this be considered again? I think there should be a setting for keeping the session even when the browser is closed or the screen is inactive.
We moved from dashlane to passbolt in order to improve our security with the shared passwords in the team, but having to logging multiple times per day is really annoying compared to dashlane where I had the option to stay logged in for 14 days.
Just as an additional data point: We used to have this problem years ago, but for us it helped to change the following global default setting in php.ini:
session.gc_maxlifetime = 1440
(Or add the setting if it's not there, as this is also the default if it's not set at all.)
As laid out in answers to this SO question, this was originally meant to mean 1440 minutes = 24 hours and was erroneously carried over, but now means 1440 seconds = 24 minutes. To this day, nobody has bothered to fix this on the PHP side, it's still documented here to default to 1440.
This is of course ridiculously short and was never meant to be this short. Setting it instead to 43200 (12 hours) has fixed this issue for us for good.
Slightly related to this, there was this earlier passbolt issue I reported back then, where some PB front end code also assumed this setting to be minutes, leading to other misbehavior after we increased that setting. This should no longer be relevant in current PB versions though.
