Feature Request - Session time-out - security issue

Discussion in 'DD-WRT Firmware' started by dellsweig, Oct 26, 2006.

  1. dellsweig

    dellsweig Network Guru Member

    Greetings

    I have posted on this topic in the past and made a formal feature request on bugtrak as well.

    I am posting this again based on some threads in other forums (security issues) and from experience with Web GUI's with enterprise class products.

    Once you Authenticate with DD-WRT (or Linksys code), your browser will not prompt you for a password again - even if you close the page and re-enter the admin GUI. In a tabbed browser like IE7 or FF, you can close the tab, open a new tab and type your router URL and not be challenged for a password. This condition continues UNTIL you exit your browser and restart.

    This is a security exposure. Any Enterprise class Web interface will time your session out and force a re-authentication. This should be a simple thing to implement in V24 - and should be considered for V23 as well.

    Comments??
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice