Project

General

Profile

Feature #16678

Updated by Peter Amstutz about 4 years ago

Add a configuration feature where tokens issued through web login have a default lifetime.    An 
 expiration time of 8 or 12 hours implements a policy where users are required to log in again each day, and limits the amount of time an attacker could make use of a stolen token.    The token is prevented from manipulating other tokens (i.e. getting other tokens or creating a new token without an expiration). 

 Document this feature in the admin section. 
 


Back