0
Archived

security issue with ldap

obrien g 7 years ago updated by swhite (Product Manager) 1 year ago 2

Hey think i found a security bug in the app.  I use LDAP to authenticate users.

I have created several security groups that provides various permissions throughout the app.

I have set up 2FA for the users, this works as standard.

However I noticed once a user is logged into ScreenConnect, and then if i then disable the user in AD.  The user still has full access to the web app, even when i close the web browser and reopen it they are still connected. 

I am using the self hosted version and running the latest software.

Ideally it would be best if once the user was disabled in AD the logged in user was locked out.  or if we could force users sessions to log out

Good morning,


Thank you for submitting this topic. I certainly understand the desire to have hosts that have been removed from your AD automatically logged out. Since a currently logged-in user's token is generated upon login, and won't be reevaluated until the MaxLongestTicketReissueIntervalSeconds has elapsed for a particular site location when the user is idle (e.g., Host.aspx, Administration.aspx), this user will not be automatically and immediately logged out when their account is disabled in LDAP.


You can decrease the values of MaxLongestTicketReissueIntervalSeconds for various site locations in your web.config to force re-authentication on a more regular basis when a user is idle. For example, the default MaxLongestTicketReissueIntervalSeconds for Host.aspx is 86400 (24 hours). You may want to decrease this value to something like 300 so that idle users are automatically logged out after 5 minutes of inactivity.


I am going to move this thread over to our Feature Request portal for additional evaluation by our product management team.


Regards,

Ben

Commenting disabled