Require session timeout for Source Interface and Document Interface #880
Comments
|
This was suggested and debated in an earlier issue. To recap: this is actually a little tricky. The current cookies are "session" cookies, which means they do not have an "Expires:" value set. Therefore, they only last as long as the user's browser session. The easiest way to time out sessions is to have the cookies expire. Unfortunately, this means they will no longer be session cookies, in which case Firefox will write them to disk. We intentionally use session cookies, which are stored in memory and never written to disk, as an anti-forensic measure. It is possible that one of the Tor Browser patches might change this behavior in a way that could mitigate this forensic concern, but I haven't had time to look into it. |
|
Note that the link to the Firefox implementation in the above comment is no longer exactly correct (although it is close) because the exact line number has changed due to modifications to the file since the last comment. If you are looking for the code, look around this comment: // if it's a non-session cookie and hasn't just been read from the db, write it out. |
|
@redshiftzero Hackathon candidate. |
redshiftzero
added
the
help wanted
|
As described in this comment, this is not trivial, but #1494 would be a good starting point. |
|
I took a look at how Tor Browser handles cookies. In Tor Browser,
This means that Tor Browser will clear all cookies ( |
|
Done in #1494 |
A journalist can be logged in to the Document Interface, remain inactive for 10 hours, and then continue working without the system requiring her to log back in again. The same is true for sources on the Source Interface. If possible, consider timing out sessions that have been inactive for a long time.
The text was updated successfully, but these errors were encountered: