auto Logoff Management Console

Discussion in 'Ideas' started by itserviceconsult, Sep 12, 2017.

auto Logoff Management Console 5 5 5votes
5/5, 5 votes

  1. itserviceconsult

    Joined:
    Sep 28, 2016
    Messages:
    1
    Likes Received:
    0
    Hello
    I would be pleased if it would be possible to set a setting with an automatic logoff in the console. It is a security risk if you do not go to unsubscribe.

    Best regards
     
  2. giwm

    giwm New Member

    Joined:
    Sep 27, 2016
    Messages:
    236
    Likes Received:
    41
    If not logging off is a security risk, then you have MUCH bigger problems than 3CX stuff. Such as who has that level of access to your computer.
     
  3. helpdesk@pbx2ip.com

    Joined:
    Dec 6, 2015
    Messages:
    1
    Likes Received:
    1
    Why do Banks all Auto-Logout..?

    With the risk of outgoing calls being made by a potential hacker, shouldn't 3CX also be auto-logging out from the management console because of Session Hijacking, it would be more secure if you could have this as a lost connection (disconnected or dropped by accident) would still remain open until you restart the PBX, would this cause not only a security risk but a possible memory leak?

    memory leak
    noun
    Computing
    noun: memory leak; plural noun: memory leaks
    1. a failure in a program to release discarded memory, causing impaired performance or failure.


    What is Session Hijacking?
    Let’s discuss them in common term’s, Session Hijacking by the name only it suggests that we are hacking someone’s active session and trying to exploit it by taking the unauthorized access over their computer system or Network. So Session Hijacking is the exploitation of valid computer or network session. Sometimes technical guys also call this HTTP cookie theft or more correctly Magic Cookie Hack. Now you guys surely be thinking what is Magic Cookie.
    Magic cookie is simply a cookie that is used to authenticate the user on remote server or simply computer. In general, cookies are used to maintain the sessions on the websites and store the remote address of the website. So in Session Hijacking what Hacker does is that he tries to steal the Magic cookies of the active session that’s why its called HTTP cookie Theft. Nowadays several websites has started using HTTPS cookies simply called encrypted cookies. But we all know If encrypter exits so its decrypter also :p..
    Session Hijacking is the process of taking over a existing active session. One of the main reason for Hijacking the session is to bypass the authentication process and gain the access to the machine. Since the session is already active so there is no need of re-authenticating and the hacker can easily access the resources and sensitive information like passwords, bank details and much more.
     
    Brad Allison likes this.
  4. Brad Allison

    Joined:
    Jun 7, 2017
    Messages:
    67
    Likes Received:
    18
    On multiple posts in regards to this topic the blame keeps getting put on the admins and end users for not logging off being the security risk...

    Look at other management consoles of firewalls, switches, wireless controllers, server ipmi, list keeps on going...
    They have or at least support session timeouts of some form, why is that?
    Session timeouts are a common security practice.
     
  5. narkumas

    narkumas New Member

    Joined:
    Nov 28, 2016
    Messages:
    227
    Likes Received:
    29
    I do support the request. But not because of session hijacking.
    For me it is very common to visit end users. Sometimes they have a wish concerning 3CX.
    So I just open a browser in their user session, do some changes in 3CX. Then I log off from 3cx.
    But it may happen that I forget to log off and just close the browser.
    When this happens the user can reopen the browser and enter the console without login until I do another login on another computer.

    So the major risk for me is to expose the whole 3CX administration to a user accidently.
     
  6. Brad Allison

    Joined:
    Jun 7, 2017
    Messages:
    67
    Likes Received:
    18
    auto logoff for management portal would be a great feature