cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kelven Yang <>
Subject RE: Security aspects of CloudStack console access
Date Sat, 21 Apr 2012 03:50:31 GMT
It is hard-coded to 2 minutes. We assume from the time that management has generated the token,
browser should be able to start a session within this time period. It also means that if someone
has already broken our first layer (HTTPS web session) of security, he/she has up to 2 minutes
to break 64-bit keyed DES access token. Not sure if it is strong enough though, I'm looking
forward to hearing from security experts in the community to comment on that.


-----Original Message-----
From: David Nalley [] 
Sent: Friday, April 20, 2012 6:48 PM
Cc: Development discussions for CloudStack
Subject: Re: Security aspects of CloudStack console access

On Fri, Apr 20, 2012 at 9:36 PM, Kelven Yang <> wrote:
>>> This is done by the expiration argument to the API call to setup the
> session?
> No, the expiration time is not set through API parameter, but generated directly within
management server. We don't want this to be configurable.

So it's hardcoded? What length of time is it set to?


View raw message