Versions Compared

Old Version 5

changes.mady.by.user Pavel Novák

Saved on

compared with

New Version 6

changes.mady.by.user Pavel Novák

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The Security screen allows the administrator to change the settings ensuring secure operation of the application. Namely the following:

Password rules for administrators

Minimum password length

Minimum password length for both users and administrators. The length is enforced when entering setting a new password or changing the existing one.

Password must contain

By checking the required character groups (lowercase and uppercase, digits, symbols) it is possible to increase the complexity of used passwords. The following characters are considered as symbols: ! @ # $ % ^ & *. The character groups are checked when when setting a new password or changing the existing one.

Forbid leaked passwords usage

When enabled, ensures any new password must not be a part of a known password data breach. The "Have I Been Pwned (HIBP)" service is used to check this. The password is not sent anywhere for this check. Only a 5 character fragment of the SHA1 password hash is sent. For more information see: https://haveibeenpwned.com/API/v3#PwnedPasswords. This is checked when setting a new password or changing the existing one.

Password rules for users

Minimum password length

Minimum password length for users. The length is enforced when setting a new password or changing the existing one.

Password must contain

By checking the required character groups (lowercase and uppercase, digits, symbols) it is possible to increase the complexity of used passwords. The following characters are considered as symbols: ! @ # $ % ^ & *. The character groups are checked when when entering setting a new password or changing the existing one.

Forbid leaked passwords usage

When enabled, ensures any new password must not be a part of a known password data breach. The "Have I Been Pwned (HIBP)" service is used to check this. The password is not sent anywhere for this check. Only a 5 character fragment of the SHA1 password hash is sent. For more information see: https://haveibeenpwned.com/API/v3#PwnedPasswords . This is checked when setting a new password or changing the existing one.

Password reset link lifetime

For user requested reset

If the local user (see user types) has problems logging in and requests a password reset, a notification is sent to his email, containing a temporary single use token unique link allowing him to set a new password. This setting specifies for how many minutes is this temporary token link valid.

...

For administrator requested reset

If the administrator requests a password reset for some local user, a notification is sent to the user’s email, containing a temporary single use token unique link allowing him to set a new password. This setting specifies for how many minutes is this temporary token link valid.

...

For newly created user and administrator accounts

When creating a new local user or administrator, the administrator can, instead of directly setting the user’s password, send a temporary single use token unique link allowing the user recipient to set his initial password himself. This setting specifies for how many minutes is this temporary token link valid.

...

Login and authorization lifetime

After logging in a JWT token is issued to both users and administrators. It is then returned by the server in a HTTP cookie and is then always sent back by the browser in all requests to the server. The JWT token contains an expiration time, until which it is valid. If the server receives a token, which is already expired, the user is logged out. The JWT token is updated and the expiration time extended during every successful request to the server, so if the user is actively using the application, he will be never automatically logged out. This setting specifies this authentication token’s expiration time in seconds.

Simply said, this setting specifies after how long inactivity will the user be automatically logged out.

Secret for JWT token signing

After logging in a JWT token is issued to both users and administrators. The token is signed by the server’s private key and every received token is then check, if signed by this private key (this way it is ensured, the token was not changed outside the server). This key should be at least 32 characters long. Changing the key invalidates all issued JWT tokens and therefore results in logging out of all users and administrators. The key is stored on the server. For security purposes it must never leave the server, so it is not possible to display it, only change it by submitting a new one. The default key, if none was specified, is a string of random characters generated during the application installation.

Salt added to XSRF token

After logging in a JWT token is issued to both users and administrators. The JWT token contains among other things a XSRF token, which helps with protection against XSRF (Cross-site request forgery) attacks. XSRF token is a string of random characters appended with a secret key (“salt”). This setting sets this salt. Changing the salt invalidates all issued tokens and therefore results in logging out of all users and administrators. The salt is stored on the server. For security purposes it must never leave the server, so it is not possible to display it, only change it by submitting a new one. The default salt, if none was specified, is a string of random characters generated during the application installation.

his login session is being extended continuously.

Idle login session timeout

Lifetime of authentication JWT tokens in seconds (60 - 1000000). The token is renewed by every user action so it is also a session idle timeout before logout.

Maximum login session timeout

Absolute lifetime of authentication JWT tokens in seconds (60 - 1000000). After this time, the token cannot be renewed by user action any more and user is logged out.

Password protected package access validity

Number of seconds for which a password protected package can be accessed without re-entering the password (60 - 1000000).

reCaptcha

reCAPTCHA secret key

Sets the reCAPTCHA secret key in case the reCAPTCHA anti-spam mechanism is used (see https://developers.google.com/recaptcha/intro). If not set, the reCAPTCHA will not be used.

...

Enables or disables the logging of reCAPTCHA test results into the audit log. Should be enabled only temporarily during debugging of problems with sending of packages, because it may create a lot of log entries.

Other settings

Enable repeated password guessing protection

...

If disabled, then there is no limit on login attempts. Therefore it should be always enabled for production use, otherwise the user accounts are open to rapid automated password guessing and possible account theft.

...