1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Feature Request - Session time-out - security issue

Discussion in 'DD-WRT Firmware' started by dellsweig, Oct 26, 2006.

  1. dellsweig

    dellsweig Network Guru Member


    I have posted on this topic in the past and made a formal feature request on bugtrak as well.

    I am posting this again based on some threads in other forums (security issues) and from experience with Web GUI's with enterprise class products.

    Once you Authenticate with DD-WRT (or Linksys code), your browser will not prompt you for a password again - even if you close the page and re-enter the admin GUI. In a tabbed browser like IE7 or FF, you can close the tab, open a new tab and type your router URL and not be challenged for a password. This condition continues UNTIL you exit your browser and restart.

    This is a security exposure. Any Enterprise class Web interface will time your session out and force a re-authentication. This should be a simple thing to implement in V24 - and should be considered for V23 as well.


Share This Page