Start a new topic
Answered

Webinterface cookie lifetime

Hello,


currently the Webinterface cookie expires as soon as you close your browser if you haven't enabled session restoring in your browser explicitely.

I'd like to change this behavior so that they only expire after 4 weeks.


How can I configure this?


Thank you in advance.

Patrick


Best Answer

We do not allow for this...this would create security concerns.  The login cookie is always session based for the browser.


Answer

We do not allow for this...this would create security concerns.  The login cookie is always session based for the browser.

 Hello Ben, it's good to know you care about security. However, in some use cases the highest security settings don't always fit your customers needs.

So why not let it as is as default setting and allow administrators to override it? I want to decide on my own whether I need this extra security or not.


Thanks.

To appease you I have added this.  Update now to latest build...even if it says your on the latest.  Then edit prefs.xml, adjust "cookie_expire_hours" to be 672 (4 weeks) and save.


Now your cookie should live on for up to 4 weeks.


There are aspects about using this we will not support.  We will not support any security audits you fail as this is a very bad idea.  We will not support you if CrushFTP runs out of memory and crashes...which is likely to happen if your server faces the internet and a robot hits your server and fills up the memory with new random cookie that will last for 4 weeks...


I strongly, recommend not doing this.  But I have now allowed it.  In your prefs.xml, adjust the http session timeout to 672 and the user's idle timeout to 672 as well in the User Manager, on the default user.


Thanks,

Ben

Ben, I'm really excited about how fast you implemented this feature request. Thank you very much!

Our/Your client has updated and I'll be able to test the setup within the next days.

Thanks again
Patrick

 

Login to post a comment