I'm not sure if this is a new "feature" or a bug, but when you leave a browser window open with the Dashboard displayed, the "WebAdmin idle timeout" feature will never log you out.
I have mine set to auto log-out after 5 minutes, but have left the WebAdmin Dashboard open for at least 1 hour when I wasn't even on the computer and came back and still had full access to WebAdmin without having to log back in.
This behavior is obviously due to the way the Dashboard is constantly refreshed every 5-60 seconds (which presumably resets the default 300 second counter for auto log out).
I personally like the fact that it doesn't log you out as you can leave the Dashboard open and drag it to another monitor and constantly monitor traffic and firewall activity without having to either have ridiculously long idle timeout periods set or constantly be logging back in.
I was mainly just curious from a security perspective if this was working as planned. I do see this as a potential security issue though, especially in a location where unauthorized individuals could gain physical access to any of the computers that are allowed to remotely configure the firewalll.
It theoretically would be all too easy for one to accidentally leave the dashboard open and thereby potentially give someone full, unrestricted access to the firewall through WebAdmin.
If the Dashboard non-timeout behavior is deemed to be a bug, maybe Astaro could add another check-box in WebAdmin that, by default, logs out the Dashboard after *** seconds (or gives one the option to disable auto log out for just the Dashboard).
Guest User!
You are not Sophos Staff.
