Page 1 of 1

keeping session alive with "live monitor"

Posted: Fri Nov 07, 2008 3:06 pm
by mikedoc
[Intro: mikedoc is not a doctor; he shepherds a data recording system]

Like a lot of other systems, FreeNATS will time out and request a new login if I've not done anything for a while. It appears, however, that LiveMonitor refreshing is counted as activity, and if I leave a LiveMonitor up, the baddies can come up to my keyboard and make changes which will then be blamed on me. Of course, I can prevent access by putting a password on the screensaver, so it shouldn't be considered a bug.

Question: was this a deliberate design choice, or did it just fall out from normal session handling?

Re: keeping session alive with "live monitor"

Posted: Fri Nov 07, 2008 8:22 pm
by dave
Hi Mikedoc,

Well perhaps a deliberate fall out from normal session handling :D

From the docs: By refreshing every 60 seconds the monitor page does not expire its session which is useful for monitor displays but you must be careful from a security viewpoint.

Let me know if it's a problem for you and I can always stop it refreshing the session but any drill-down etc wouldn't work.

or... create a read-only user that can do no bad stuff and use that for monitoring elevating yourself to the giddy heights of admin user only when required.

Cheers,

Dave.

Re: keeping session alive with "live monitor"

Posted: Tue Nov 11, 2008 10:54 pm
by mikedoc
Hi Dave,

"Well perhaps a deliberate fall out from normal session handling"

Thanks for the reply. I was wondering if you have seen any "abnormal", more paranoid session handling which would allow refreshing without examining (to allow refresh to continue "forever") or updating the session expiry (to force any other activity to be re-authenticated).

Regards,
-- Mike

Re: keeping session alive with "live monitor"

Posted: Wed Nov 12, 2008 6:48 pm
by dave
Hi,

Done - 1.02.1a now uploaded as the dev version.

You need to set the system variable site.monitor.keepalive to 0 (it will default to 1 if unset). This just means the monitor session check doesn't rely (or refresh) the expiry time.

Sadly most stuff doesn't support the ability to redirect back once authenticated but I have added it to the node view. Gradually more pages such as groups will get this.

Hope that is ok for you.

Cheers,

Dave.