-
Improvement
-
Resolution: Unresolved
-
Minor
-
None
-
Future Dev
There are various pages where you want security to be tighter than normal. eg you might have a 1 hour session inactivity timeout, but if you went to do something then you'd expect to re-authenticate even though you are already in a session.
So proposing:
1) to introduce a function require_recent_login() which is what it says on the box. It would operate the same as say a sudo password and might timeout within 15 minutes, but not bug you twice within that period.
2) A new config option which defines how recent 'recent' is. Sane default might be 15 minutes which is the same as sudo
3) Introduce a new option which says whether editing admin settings should be considered 'more secure'. If so then call require_recent_login() from require_admin_login()
I'm in two minds about whether there should be 1 or 2 new admin settings. Most moodles won't need this, so it might be simpler to conflate the two settings and have it default to 0 which would turn it off.
- has a non-specific relationship to
-
-
- Closed
-
- has been marked as being related by
-
MDL-52812 An user can enter with an admin role only copying valid sessionID from another computer with the same IP address.
-
- Closed
-
-
-
- Closed
-
- has to be finished together with
-
-
- Open
-
- will help resolve
-
-
- Open
-