Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-66172

Add require_recent_login() for higher security pages



    • Improvement
    • Status: Development in progress
    • Minor
    • Resolution: Unresolved
    • Future Dev
    • None
    • Authentication


      There are various pages where you want security to be tighter than normal. eg you might have a 1 hour session inactivity timeout, but if you went to do something then you'd expect to re-authenticate even though you are already in a session.

      So proposing:

      1) to introduce a function require_recent_login() which is what it says on the box. It would operate the same as say a sudo password and might timeout within 15 minutes, but not bug you twice within that period.

      2) A new config option which defines how recent 'recent' is. Sane default might be 15 minutes which is the same as sudo

      3) Introduce a new option which says whether editing admin settings should be considered 'more secure'. If so then call require_recent_login() from require_admin_login()

      I'm in two minds about whether there should be 1 or 2 new admin settings. Most moodles won't need this, so it might be simpler to conflate the two settings and have it default to 0 which would turn it off. 




        Issue Links



              peterburnett Peter Burnett
              brendanheywood Brendan Heywood
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski
              4 Vote for this issue
              9 Start watching this issue