Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-3076

Detect and audit log when an administrator logs out of the CA Web UI

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: EJBCA 7.0.0
    • Component/s: CA GUI
    • Labels:
      None
    • Issue discovered during:
      Integration
    • Sprint:
      EJBCA Team Alice - 2019 w2

      Description

      Logging out an administrator is an important security event (in the mind of auditors).

      Since it is not possible to force an admin to actively logout, we need to detect the lack of keep-alive messages from the admins browser.
      To make this work, we need additional session handling that works both with and without JavaScript.

      Outline:

      • "hidden" <iframe> with meta-refresh (every 30 seconds) and JavaScript reload (every 25 seconds) poking a Servlet with a jsessionid as GET parameter
      • Detect time-outs of the user session due to inactivity by having this functionality as a separate web-app where the AdminGUI jsessionid cookie is not sent with the servlet poke.
      • New hidden service that
        • looks for sessions where the servlet poke has not taken place and destroys the related AdminGUI session.
        • looks for regular timed out known sessions
      • Connect Logout link to the same logout code, where the event is audit-logged

      Expected result:

      • User session timeout will result in audit log event
      • User closing the browser/tab will result in audit log event and unusable session
      • User pressing logout will result in audit log event

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                hsunmark Henrik Sunmark
                Reporter:
                johan Johan Eklund
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 2 days
                  2d
                  Remaining:
                  Time Spent - 1 day, 1 hour Remaining Estimate - 7 hours
                  7h
                  Logged:
                  Time Spent - 1 day, 1 hour Remaining Estimate - 7 hours
                  1d 1h