什么是“登录超时"的原因?设置和功能? [英] What is the reason for the "Login timeout" setting and functionality?
问题描述
如果应用程序将用户重定向到Keycloak登录页面,并且该页面在此处的停留时间超过了登录超时", (默认5分钟),然后当用户输入用户名和密码(而不是登录名)时,系统会向她打招呼:
If an application redirects the user to the Keycloak login page, and it sits there for more than the "Login timeout" (default 5 minutes), then when the users enters a username and password, instead of a login, she is greeted by:
您花了太长时间登录.登录过程从头开始.
You took too long to login. Login process starting from beginning.
为避免这种情况,可以更改领域设置→令牌→登录超时".到10000天,即27年,应该确保这种情况在现实中永远不会发生.
To avoid this, one can change "Realm Settings → Tokens → Login timeout" to e.g. 10000 days which is 27 years, which should ensure this never happens in reality.
但是在我们继续有效禁用此超时之前,我们想问:此超时的目的是什么?显然有人在实施它时遇到了麻烦,但是它可以防止什么呢?禁用它会带来什么(安全性)后果?
But before we go ahead and effectively disable this timeout, we'd like to ask: What is the purpose of this timeout? Somebody apparently went to the trouble of implementing it, but what is it protecting against? What are the (security?) consequences of disabling it?
推荐答案
As far as I know, it is mostly used as an additional mechanism to avoid session fixation attacks. For instance, in a company a user goes for a coffee and leaves the computer on, and then the hacker sees the opportunity and manually sets in the Browser URL the
current login session ID (or just copies it). Now if the system is configured in a way that the session ID does not change in-between the pre and the pos login phases. Then after the victim has successfully authenticated, the hacker will be able to use, without having to insert any authentication, the session that the victim is currently on;
超时时间越长,发生此类攻击的机会窗口就越宽.登录超时只是避免此类问题的另一层保护措施,例如会话过期,在预登录和pos-login阶段之间更改会话ID等.
The higher the timeout is, the wider will be the window of opportunity for such attacks to happen. Login timeout is just another layer of protection to avoid such issues, as it is session expiration, changing the Session ID between the pre-login and pos-login phase, among others.
通常可以读入(源)
初始登录超时 这种额外的保护机制试图强制更新 会话ID预身份验证,避免了以前的情况 使用的(或手动设置的)会话ID被下一个受害者重用 同一台计算机,例如会话固定攻击.
Initial Login Timeout This extra protection mechanism tries to force the renewal of the session ID pre-authentication, avoiding scenarios where a previously used (or manually set) session ID is reused by the next victim using the same computer, for example, in session fixation attacks.
会话固定是一种允许攻击者劫持 有效的用户会话.攻击探索了一种方式上的局限性 Web应用程序管理会话ID,更具体地说, 易受攻击的Web应用程序.验证用户身份时,它不会 分配新的会话ID,从而可以使用现有的会话 ID.攻击包括获取有效的会话ID(例如,通过 连接到应用程序),诱使用户进行身份验证 自己使用该会话ID,然后劫持用户验证的用户 通过了解所使用的会话ID来进行会话.攻击者必须 提供合法的Web应用程序会话ID,并尝试使 受害者的浏览器使用它.
Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. When authenticating a user, it doesn’t assign a new session ID, making it possible to use an existent session ID. The attack consists of obtaining a valid session ID (e.g. by connecting to the application), inducing a user to authenticate himself with that session ID, and then hijacking the user-validated session by the knowledge of the used session ID. The attacker has to provide a legitimate Web application session ID and try to make the victim’s browser use it.
关于会话固定攻击如何工作以及如何防止它的相当不错的解释此处和此处.
A fairly good explanation on how the session fixation attacks works and how to prevent it here and here.
现在我不是安全专家,但是我想说,如果您拥有其他阻止机制,例如更改会话ID,则应该.但是,另一方面,您真的需要那么多时间登录吗?难道只是一次重新刷新的烦恼?
Now I am not a security expert, but I would say that if you have other preventing mechanisms in place such as change the session ID, you should be fine. However, on the other side of the coin, do you really need that much time to login? And is that much of an annoyance to just refresh again?
这篇关于什么是“登录超时"的原因?设置和功能?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
