revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-17 19:10:54 +01:00
Code Issues Releases Wiki Activity
phorge-phorge/src/applications
History
epriestley ca39be6091 Make partial sessions expire after 30 minutes, and do not extend them 
Summary:
Depends on D19904. Ref T13226. Ref T13222. Currently, partial sessions (where you've provided a primary auth factor like a password, but not yet provided MFA) work like normal sessions: they're good for 30 days and extend indefinitely under regular use.

This behavior is convenient for full sessions, but normal users don't ever spend 30 minutes answering MFA, so there's no real reason to do it for partial sessions. If we add login alerts in the future, limiting partial sessions to a short lifetime will make them more useful, since an attacker can't get one partial session and keep extending it forever while waiting for an opportunity to get past your MFA.

Test Plan:
  - Did a partial login (to the MFA prompt), checked database, saw a ~29 minute partial session.
  - Did a full login, saw session extend to ~30 days.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13226, T13222

Differential Revision: https://secure.phabricator.com/D19905
2018-12-28 00:17:01 -08:00
..
almanac Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
aphlict Add a CLI workflow for testing that notifications are being delivered 2018-12-10 16:05:53 -08:00
arcanist/conduit Remove remaining arcanist project code 2015-07-08 19:37:28 +10:00
audit Remove "willRenderTimeline()" from ApplicationTransactionInterface 2018-12-20 14:55:07 -08:00
auth Make partial sessions expire after 30 minutes, and do not extend them 2018-12-28 00:17:01 -08:00
badges Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
base Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
cache Update PhabricatorLiskDAO::chunkSQL() for new %Q semantics 2018-11-13 08:59:18 -08:00
calendar Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
celerity Emit a "Content-Security-Policy" HTTP header 2018-02-27 10:17:30 -08:00
chatlog Update many Phabricator queries for new %Q query semantics 2018-11-15 03:48:10 -08:00
conduit Use phutil_microseconds_since(...) to simplify some timing arithmetic 2018-11-08 16:46:32 -08:00
config Implement "@{config:...}" as a real Remarkup rule 2018-12-28 00:05:09 -08:00
conpherence Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
console Fix some minor errors (DarkConsole warning, unstable Ferret sort) 2018-03-18 15:12:25 -07:00
countdown Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
daemon Continue cleaning up queries in the wake of changes to "%Q" 2018-11-16 12:49:44 -08:00
dashboard Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
differential Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
diffusion Remove "willRenderTimeline()" from ApplicationTransactionInterface 2018-12-20 14:55:07 -08:00
diviner Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
doorkeeper Allow Doorkeeper references to have multiple display variations (full, short, etc.) 2018-03-13 11:29:52 -07:00
draft/storage When purging drafts after a transaction edit, purge all drafts 2018-02-11 06:01:09 -08:00
drydock Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
fact Remove all application callers to "putInSet()" 2018-12-12 16:41:12 -08:00
favorites Add some missing aural button labels for accessibility 2018-08-17 11:00:29 -07:00
feed Separate "feed" and "notifications" better, allow stories to appear in notifications only 2018-12-10 16:02:43 -08:00
files Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
flag Update many Phabricator queries for new %Q query semantics 2018-11-15 03:48:10 -08:00
fund Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
guides Rename "PHUIDocumentViewPro" to "PHUIDocumentView" 2018-08-28 14:53:07 -07:00
harbormaster Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
help Redesign header menus and search 2017-01-17 12:13:06 -08:00
herald In Webhooks, give errors human-readable labels and show reminder text for "Silent Mode" 2018-12-28 00:05:46 -08:00
home Update menu item names for Applications -> Favorites 2017-09-05 19:05:03 -07:00
legalpad Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
lipsum Add "--force" and "--quickly" flags to bin/lipsum 2017-02-27 09:09:41 -08:00
macro Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
maniphest Allow objects to be put in an "MFA required for all interactions" mode, and support "MFA required" statuses in Maniphest 2018-12-28 00:10:54 -08:00
meta Modularize Repository transactions 2018-11-28 14:29:18 -08:00
metamta Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
multimeter Continue cleaning up queries in the wake of changes to "%Q" 2018-11-16 12:49:44 -08:00
notification Remove obsolete "NotifyTest" feed story 2018-12-10 16:03:42 -08:00
nuance Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
oauthserver Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
owners Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
packages Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
passphrase Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
paste Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
people Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
phame Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
phid Truncate package names in diff table of contents views 2018-06-07 13:17:01 -07:00
phlux Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
pholio Restore a Mock key to Pholio Images 2018-12-28 00:03:48 -08:00
phortune Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
phpast Update phpast for new UI 2016-04-05 13:52:59 -07:00
phragment Update many Phabricator queries for new %Q query semantics 2018-11-15 03:48:10 -08:00
phrequent Remove old Phrequent propery rendering code and show "Time Spent" in higher precision 2018-12-28 00:07:25 -08:00
phriction Fix the last remaining (?) continue inside switch 2018-12-28 00:04:25 -08:00
phurl Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
policy Extend PhabricatorPolicyCodex interface to handle "interesting" policy defaults 2018-04-27 16:56:11 -07:00
ponder Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
project Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
releeph Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
remarkup/conduit
repository Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
search Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
settings Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
slowvote Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
spaces Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
subscriptions Allow objects to be put in an "MFA required for all interactions" mode, and support "MFA required" statuses in Maniphest 2018-12-28 00:10:54 -08:00
support/application
system Update PhabricatorLiskDAO::chunkSQL() for new %Q semantics 2018-11-13 08:59:18 -08:00
tokens Allow tokens to be awarded to MFA-required objects 2018-12-28 00:14:48 -08:00
transactions Allow "MFA Required" objects to be edited without MFA if the edit is only creating inverse edges 2018-12-28 00:12:49 -08:00
typeahead Rename "PHUIDocumentViewPro" to "PHUIDocumentView" 2018-08-28 14:53:07 -07:00
uiexample Reduce the cost of generating default user profile images 2018-03-01 16:53:17 -08:00
xhprof Allow XHProf profiles to be drag-and-dropped to upload them 2017-02-23 11:16:19 -08:00