guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Niehren <mich...@niehren.de>
Subject possible security issue
Date Mon, 15 Jan 2018 07:46:10 GMT
Hi together,

i see an security issue in the following scenario:
Let's say, we have an user for which are 2 sessions configured. Now the
user has been logged in into the guac-client and is connected to 1 session.

I see, that the user does bad things in his session and i want do kick it
off and disable his account. So i change his password and kick of the session.
But he's still logged in in the guac-client and immediately he can reconnect
the session.

In the documentation i didn't find a possiblity to kick the login into the
guac-client. The only option i found to influence the guac-client login is
the "api-session-timeout", but this option only affects on inactivity.

Maybe a new option "auto-session-logout" would be useful, which, if set, will
automatically kick off the guac-login if the session is closed. So he can't
login again as the password has been changed.

What do you think about that ?

best regards and keep on your good work
   Michael

-- 
Michael Niehren              __   _       powered by
                             / /  (_)__  __ ____  __
                            / /__/ / _ \/ // /\ \/ /
                           /____/_/_//_/\_,_/ /_/\_\


Mime
View raw message