Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-66172

Add require_recent_login() for higher security pages

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Development in progress
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: Future Dev
    • Fix Version/s: None
    • Component/s: Authentication

      Description

      There are various pages where you want security to be tighter than normal. eg you might have a 1 hour session inactivity timeout, but if you went to do something then you'd expect to re-authenticate even though you are already in a session.

      So proposing:

      1) to introduce a function require_recent_login() which is what it says on the box. It would operate the same as say a sudo password and might timeout within 15 minutes, but not bug you twice within that period.

      2) A new config option which defines how recent 'recent' is. Sane default might be 15 minutes which is the same as sudo

      3) Introduce a new option which says whether editing admin settings should be considered 'more secure'. If so then call require_recent_login() from require_admin_login()

      I'm in two minds about whether there should be 1 or 2 new admin settings. Most moodles won't need this, so it might be simpler to conflate the two settings and have it default to 0 which would turn it off. 

       

       

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              peterburnett Peter Burnett
              Reporter:
              brendanheywood Brendan Heywood
              Participants:
              Component watchers:
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias
              Votes:
              4 Vote for this issue
              Watchers:
              9 Start watching this issue

                Dates

                Created:
                Updated: