Panel Security Hole

system · 2005-08-24 23:11:42 UTC

When logging into Dreamhost’s web-based panel, there needs to be an AUTO-LOGOUT function implemented.

I recently made a quick change in Dreamhost’s Control Panel from a client’s computer and forgot to logout. When I returned a few days later my client still had full access to ALL my domains, email addresses, billing information, and other sensitive data.

I know I should remember to logout after every session, but the reality is that sometimes I’m in a huge rush and it doesn’t happen.

Every other password-protected site I use (i.e. banks, credit cards, ISP, etc.) automatically logs the users off after a certain amount of time. There’s no reason why Dreamhost’s Panel shouldn’t do the same.

TorbenGB · 2005-08-25 07:47:51 UTC

That’s a good point, since the DH panel can actually give you access to things that end up costing you money, as well as trouble if strangers meddle.

I would personally prefer to be always logged in, since I only touch the panel from my own computers. An auto-disconnect would bug me. But it could be a per-user preference setting.

Did you already put this into the Suggestions box?

TorbenGB
Try out DreamHost with a free WebID – Prices, options

wjd · 2005-08-25 09:52:51 UTC

Exactly!

happylittlethings.com
Promo Code: WJD50 - $50.00 off any DreamHost plan

guice · 2005-08-25 17:06:53 UTC

Just a simple “keep me logged in” box (default unchecked) on the login page will solve that. If it’s not checked, set the cookie to expire at the end of session (browser closes).

Problem solved. It’ll take … 3 lines of code? At the most.

conspicuous · 2005-08-25 18:52:02 UTC

I wouldn’t want to be auto logged out. I’m in and out of my account several times a day and having to login all the time would be a drag. An extra bonus of staying logged in is that I get taken back to the page I was last working on when I go to https://panel.dreamhost.com.

Dreamhost has always catered to a level of user that doesn’t need spoonfeeding (hence the lack of WYSIWYG editors and templates). Working on a secure computer or clicking “log out” when you’re done doesn’t seem that onerous.

Just my two cents.

netdcon · 2005-08-25 18:58:03 UTC

That isn’t a Dreamhost problem.

It’s an ever-so-slight defect with your hosting plan’s administrator.

I know this because my hosting plan’s administrator occasionally has the same problem.

lu_bhz · 2007-07-20 14:03:50 UTC

Every other webservices that I use (and require a minimum of security) do the ‘autologout’ as I close the browser.

Why shoudn’t DreamHost Panel?

That’s default all over the internet.

dinochopins · 2007-07-20 15:34:40 UTC

Not with friendster.

But I think it is still a good idea to automatically log us out for an exceeded period of time.

Dino
Get YOUR $97 off on yearly plan with [color=#CC0000]YOUGET97 [/color] promo code. Sign Up NOW

Lensman · 2007-07-20 15:44:54 UTC

I like the idea of a user option on this - actually more of a login radio button like there are on most sites, because I too have a preference for staying logged in on my work and home computer but would like to be logged out on computers where I’m only a “guest”.

Free unique IP and $67 off with promo code [color=#CC0000]FLENSFREEIP67[/color] or use [color=#CC0000]FLENS97[/color] for $97 off. Click here for more options

matttail · 2007-07-20 16:23:32 UTC

This is a nice idea and all, but why bump up a two year old post?

–Matttail
art.googlies.net - personal website