Security feature: Cloudron autologin after hours of inactivity
I received a reply from Johannes who suggested that I create a forum about this topic. Anyone has some ideas/insights please share
This may not be a problem for many, but it was an interesting case for me. I was introducing Cloudron to one of my research colleagues in UCL as they were looking to deploy Nextcloud and various other apps that can increase their research productivity.
So I invited one of them as a user to my Cloudron to test some apps.
During our recent discussion, she mentioned that she shut her laptop off last night. This morning, when she turns the laptop on, and go to my Cloudron,
it was already logged in, and it did not auto logged off. To her surprise when she click Nextcloud app in Cloudron, it went straight to her Dashboard, and it wasn’t auto-logged out too.
Johannes explained to me that Cloudron has token for session keeping. Some apps within Cloudron has their own too.
In an ideal situation, we don’t want to delete our cookies because some cookies we want to enable.
For the record I use Mac OS, and Safari, my friend uses Windows laptop and Firefox.
In my mind, if someone stole the laptop, and can gain access into the computer , and just opening the browser can get them in to Cloudron then Nextcloud, they would get access to every personal files in there.
There is 2FA system but I'd rather have a complex password than relying on my phone to generate the 2FA code (assuming in some cases where the battery is out of battery or is lost).
#My Question/ Feature Request#
Is there a method to make Cloudron auto log out after some time of inactivity? Or in this sense, to make the session keeping to be around 1 hour for example. Some websites I noticed has this feature such as Digital Ocean. Some don't, which perhaps a preferences set by the developer of the web-app in this case.
In my humble opinion, this could be a good feature to have Cloudron to auto log off after certain time.
On this point, does anyone know any trick/tips to set Nextcloud session expiration?
Thanks for any insights / tips on this issue. Let me know too if you agree/disagree on such feature to auto-log off, or global setting in Cloudron for session expirations?
I think you should be able to do that with the API, even if not documented there is a GET request that allows invalidating all the tokens.
GET /api/v1/cloudron/logout?access_token=[your API key]
BUT to be fair, your computer even if stolen is really hard to get in, because of full disk encryption, password auth nowadays delegated to super safe hardware component and secure boot.
It's easy to find other vulnerabilities.
From a security standpoint, this does not bring a lot. If the computer is stolen, you should protect against the thief being able to access anything on the computer : good session password, full disk encryption, ...
However, if you end up wanting to have something like this, it would not be possible for cloudron itself to do all this by itself, it would have to be implemented on an app-by-app basis.
Also, if you want to have something like this on the computer side rather than the server side, you can use something like the Cookie AutoDelete extension on Firefox (I believe there is no equivalent on chrome-based browsers). It allows you to decide on which websites to keep cookies indefinitely / to keep cookies only until the browser is closed / to destroy cookies as soon as the tab is closed.
@mehdi Thanks for the tip, I'll look into the extension you mentioned.
Also found a thread in Nextcloud on the subject:
Essentially it was suggested to edit /config/config.php like this:
'session_lifetime' => 3600,
'session_keepalive' => false,
'remember_login_cookie_lifetime' => 0,
I'm a desktop guy but recently bought an Asus Strix G15 laptop and will be using that as my daily work computer. Like you, I've thought about the security aspect of the possibility of having my laptop lost/stolen. I believe that having full disk encryption enabled + a strong password for the Windows user + EUFI admin pass is more than enough security where I feel comfortable enough to stay logged in to my Cloudron.
Firefox has a setting where you can delete cookies when the browser is closed and you can have exceptions. It's found in Settings --> Privacy and Security --> Cookies and Site Data
@humptydumpty Thanks for this.
Just for someone else pondering for some alternative, I've also found another neat solution, where I use webcatalog. I can create a workspace and put all my Cloudron apps there. its just converting the website into an app-like application on Windows, Mac OS and Linux. I can create a custom lock after certain period of time to lock the entire workspace.
I can also log in and click never save password, so everytime I click the app in that workspace, I will need to log in again.
@moocloud_matt that's really true.
My concern is that for example, when user uses it in public computer in laboratory for example, and they totally forget to log out manually. This can be an issue.
For public use in research team or something, I might suggest 2FA, but it is no use too, if it keep the token alive. Alternatively, editing the config file in Nextcloud seemed to do the trick.