Idle Timeout

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Idle Timeout

Shaun Quartier
I’m currently using Kerberos for our employee intranet through htaccess and
I was interested in finding a way to implement an idle logout for users
after 15 minutes of using the site. I was wondering if I could accomplish
this using Kerberos and what kind of changes would I need to use and/or
setting would need to be changed. I have not had any previous experience
using Kerberos, and have just started reading about the capabilities lately
while looking into this project. Any help would be greatly appreciated.
Thanks,
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Idle Timeout

Brian Candler
On Tue, Jan 04, 2011 at 10:34:00AM -0500, Shaun Quartier wrote:
> I’m currently using Kerberos for our employee intranet through htaccess and
> I was interested in finding a way to implement an idle logout for users
> after 15 minutes of using the site.

I presume you mean after 15 minutes of *not* using the site.

From a user interface point of view, what do you want the user to see if
they haven't accessed the site for 15 minutes, and then come back to it?

And what do you want the user to see when they visit the site for the first
time?

Kerberos is a single sign-on system. You get your TGT at the start of the
day, and then it logs you in automatically and transparently to each service
you visit.

If you want the site to prompt for username/password, either initially or
after an idle timeout, then I think it will need to do its own HTTP Basic
authentication.

Regards,

Brian.

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Idle Timeout

Russ Allbery
Brian Candler <[hidden email]> writes:

> Kerberos is a single sign-on system. You get your TGT at the start of
> the day, and then it logs you in automatically and transparently to each
> service you visit.

> If you want the site to prompt for username/password, either initially
> or after an idle timeout, then I think it will need to do its own HTTP
> Basic authentication.

Or you can use a web authentication system based on or capable of using
Kerberos, like:

    http://webauth.stanford.edu/
    http://cosign.sourceforge.net/

which offer various additional features, such as this sort of idle
timeout.  Kerberos by itself is not going to provide this.

--
Russ Allbery ([hidden email])             <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Idle Timeout

Matej Zagiba


On 01/04/2011 06:54 PM, Russ Allbery wrote:

> Brian Candler<[hidden email]>  writes:
>
>> Kerberos is a single sign-on system. You get your TGT at the start of
>> the day, and then it logs you in automatically and transparently to each
>> service you visit.
>
>> If you want the site to prompt for username/password, either initially
>> or after an idle timeout, then I think it will need to do its own HTTP
>> Basic authentication.
>
> Or you can use a web authentication system based on or capable of using
> Kerberos, like:
>
>      http://webauth.stanford.edu/
>      http://cosign.sourceforge.net/
>
> which offer various additional features, such as this sort of idle
> timeout.  Kerberos by itself is not going to provide this.
>
> --
> Russ Allbery ([hidden email])<http://www.eyrie.org/~eagle/>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos

We are using CoSign and it has pretty feature called re-auth.
Service can request, that re-auth is needed, and user is redirected to central re-auth page.
If kerberos authetication (SPNEGO) is used (or certificates, or passwords are stored in browser...)
this can be automated and user may not be aware of this. So multifactor authentication comes to rescue.
Some sort of OTP would be good idea, but that's kind of anti-SSO. If only one site needs this functionality,
put it out of SSO realm, if multiple sites will use this, add OTP as second authentication factor.
Every site can be configured which factor is mandatory/sufficient. On timeout site invalidates session and
user is taken to re-auth page. OTP factor can be designed so it will not ask for password more often then
once per 15 minutes, making it more SSO-like (user is not ask to rre-auth on every expired site, just on
first one).


  Matej Zagiba
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos