Details
Description
A developer has signed in the 3Scale developer portal and kept the tab inactive over one day, afterwards, the next day, he still can edit her account info without reauthentication.
These session aspects should be customizable for developer portal:
1. Session Inactivity Timeout value, i.e. 15 minutes as most net banks do
2. Session Maximum Timeout value, i.e. 2 hours
These too long Inactivity Timeout and Max Session Timeout values provides threat actor more opportunities for session highjacking.
Attachments
Issue Links
- duplicates
-
THREESCALE-693 Valid login session length should be configurable
- Closed
-
THREESCALE-7143 Valid login session length should be configurable
- Closed