Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-66172

Add require_recent_login() for higher security pages

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Development in progress
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: Future Dev
    • Fix Version/s: None
    • Component/s: Authentication

      Description

      There are various pages where you want security to be tighter than normal. eg you might have a 1 hour session inactivity timeout, but if you went to do something then you'd expect to re-authenticate even though you are already in a session.

      So proposing:

      1) to introduce a function require_recent_login() which is what it says on the box. It would operate the same as say a sudo password and might timeout within 15 minutes, but not bug you twice within that period.

      2) A new config option which defines how recent 'recent' is. Sane default might be 15 minutes which is the same as sudo

      3) Introduce a new option which says whether editing admin settings should be considered 'more secure'. If so then call require_recent_login() from require_admin_login()

      I'm in two minds about whether there should be 1 or 2 new admin settings. Most moodles won't need this, so it might be simpler to conflate the two settings and have it default to 0 which would turn it off. 

       

       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                peterburnett Peter Burnett
                Reporter:
                brendanheywood Brendan Heywood
                Participants:
                Component watchers:
                Jake Dallimore, Jun Pataleta, Ryan Wyllie
              • Votes:
                1 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated: