40 lines
3.0 KiB
Plaintext
40 lines
3.0 KiB
Plaintext
=== on 4 Mar 2016, 15:57:46 Tomislav Nakic-Alfirevic wrote:
|
|
Interesting: I need the exact opposite: we consider our office network a "safe" zone and see session timeouts and consequential login screens as unnecessary interruptions. The effect is similar, however: we too would like to have the duration of the session to be configurable.
|
|
|
|
|
|
For now, we have done this by directly editing web.xml, but this will be overwritten with the next upgrade, so a more permanent, set-and-forget solution would be welcome. Obviously a minor inconvenience, but I don't imagine it requires too much effort to support, either.
|
|
|
|
=== on 4 Mar 2016, 16:14:24 Ann Campbell wrote:
|
|
\[~tna] I understand where you're coming from, but as devil's advocate, I'm going to pose the following scenario: I'm working remotely because I'm on the road for (insert relevant scenario). I decide to stop at Starbucks to get a latte and check (something that would make me VPN in). And then I forget to lock my computer when I step away from my laptop to use the bathroom at Starbucks...
|
|
|
|
|
|
Okay, maybe you don't offer VPN access... yet.
|
|
|
|
|
|
But you get my point.
|
|
|
|
=== on 4 Mar 2016, 16:45:02 Tomislav Nakic-Alfirevic wrote:
|
|
Hi Ann, thank's for the quick comment. Indeed, I do get your point, but:
|
|
|
|
|
|
1) how probable is the sequence of events you've described (on the road, VPN connection on, logged into Sonar, leaves the machine without locking it...), especially given that another very rare event has to happen, which is that there should be a malevolent person there who calmly sits down at your machine - in front of other customers! - and wreaks havoc on your Sonar instance...?
|
|
|
|
|
|
2) extreme improbability aside, your scenario would lead to a security breach even without a configurable timeout, i.e. with current latest release of Sonar, because the way you described it, the default 20 minute-session would still be active and the bad guy could do his stuff as soon as you closed the bathroom door
|
|
|
|
|
|
3) the default value is completely arbitrary (there's nothing special about the value "20 minutes"...), which makes it's absolutely legitimate for users to want a different arbitrary value, if you will.
|
|
|
|
|
|
Again, low priority and low implementation effort (for someone with experience with Sonar code), but still valuable from my perspective.
|
|
|
|
=== on 4 Mar 2016, 17:13:47 Ann Campbell wrote:
|
|
I think there's a misunderstanding here [~tna]: These are rule specification tickets, not tickets for work to be done on the SonarQube platform. It sounds like you're simply after the already-available "Remember me on this computer" feature.
|
|
|
|
=== on 15 Aug 2016, 23:49:55 Tomislav Nakic-Alfirevic wrote:
|
|
\[~ann.campbell.2] I'm not sure. "Remember me" is what's typically used to log back in easily when your session times out. What I'm talking about is being able to set the session to a very large period of time, so that logging back in isn't needed in the first place.
|
|
|
|
=== on 16 Aug 2016, 13:38:25 Ann Campbell wrote:
|
|
\[~tna] you need to open a thread for this on the https://groups.google.com/forum/?pli=1#!forum/sonarqube[Google group].
|
|
|