Absolutely, yes. I keep my browser open for weeks. It scares me that someone could go to digitalocean.com/droplets on my laptop, and have the ability to destroy my entire infrastructure without even having to reenter my password.
The current timeout is set to expire when you close your browser but we will be looking into implementing a timeout value that customers can choose themselves, most likely something like:
Browser (stay logged in while browser is open)
3 hours
12 hours
24 hours
1 week
So this will be configurable? Personally I want my sessions to last longer. I work from home so I'm not to worried about others jumping on my computer.
I prefer Google's approach where they only ask you to verify your two factor authentication token every 30 days.
A session management screen would be really good to have, so I can logout from some computer I've used to manage my droplets but doesn't have logged out.
Browser session gives unlimited access to the infrastructure hosted at DO.
We really see this as a major threat to our production infrastructure.
Even more so with a trend of laptops being rebooted very rarely by programmers and admins. In practice, the session persists for many days, and of course one cannot rely on "sign out" being always used by all team members.
Please kindly implement an option to expire the session in a reasonable time frame (like 30 - 60 minutes).
Looking to get more feedback and discussion around this request before we implement any changes.
Thanks,
Moisey
Attachments Open full size
I think the simplest solution will be to just let customers set their timeout values themselves.
This way those that like to stay logged in can do so, others can choose lower values.
Thanks
Attachments Open full size
I prefer infinite sessions.
Attachments Open full size
No!
Attachments Open full size
Thanks for the feedback =]
Attachments Open full size
Absolutely, yes. I keep my browser open for weeks. It scares me that someone could go to digitalocean.com/droplets on my laptop, and have the ability to destroy my entire infrastructure without even having to reenter my password.
Attachments Open full size
Not a good idea. I hate the "auto logout"!
N
Attachments Open full size
The current timeout is set to expire when you close your browser but we will be looking into implementing a timeout value that customers can choose themselves, most likely something like:
Browser (stay logged in while browser is open)
3 hours
12 hours
24 hours
1 week
If anyone has any other suggestions let us know!
Attachments Open full size
We have another request for this and we'll be implementing timeout values that customers can set =]
Attachments Open full size
So this will be configurable? Personally I want my sessions to last longer. I work from home so I'm not to worried about others jumping on my computer.
I prefer Google's approach where they only ask you to verify your two factor authentication token every 30 days.
Attachments Open full size
Totally roll w/the crowd that believes that 15 mins. is waaaaaaaay too short
Attachments Open full size
A session management screen would be really good to have, so I can logout from some computer I've used to manage my droplets but doesn't have logged out.
Attachments Open full size
Browser session gives unlimited access to the infrastructure hosted at DO.
We really see this as a major threat to our production infrastructure.
Even more so with a trend of laptops being rebooted very rarely by programmers and admins. In practice, the session persists for many days, and of course one cannot rely on "sign out" being always used by all team members.
Please kindly implement an option to expire the session in a reasonable time frame (like 30 - 60 minutes).
Attachments Open full size
IMO this is a security threat. If you want you can give the user the choice but at least make the default a finite value.
Attachments Open full size
Every serious service/provider use automatic session expiration. You should implement this feature if you care about security of your real customers.
For others who do not want automatic session expiration you might implement "Remember me" or similar checkbox on login page.
Currently DigitalOcean keeps sessions even after closing web browser.
DigitalOcean isn't Facebook or Instagram and should provide every possible mechanism to improve users security.
Attachments Open full size