cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kelven Yang <kelven.y...@citrix.com>
Subject RE: Security aspects of CloudStack console access
Date Sat, 21 Apr 2012 03:50:31 GMT
It is hard-coded to 2 minutes. We assume from the time that management has generated the token,
browser should be able to start a session within this time period. It also means that if someone
has already broken our first layer (HTTPS web session) of security, he/she has up to 2 minutes
to break 64-bit keyed DES access token. Not sure if it is strong enough though, I'm looking
forward to hearing from security experts in the community to comment on that.

Kelven

-----Original Message-----
From: David Nalley [mailto:david@gnsa.us] 
Sent: Friday, April 20, 2012 6:48 PM
To: cloudstack-dev@incubator.apache.org
Cc: Development discussions for CloudStack
Subject: Re: Security aspects of CloudStack console access

On Fri, Apr 20, 2012 at 9:36 PM, Kelven Yang <kelven.yang@citrix.com> wrote:
>>> This is done by the expiration argument to the API call to setup the
> session?
> No, the expiration time is not set through API parameter, but generated directly within
management server. We don't want this to be configurable.
>

So it's hardcoded? What length of time is it set to?

--David

Mime
View raw message