Web Panel Security Concern


#1

I find that Web Panel sessions, unless I specifically log out on exit, are maintained after I close down the browser and even after restarting the computer. This happens with various browsers and on both Windows and Linux. I don’t know of any other “secure” web application which does this. Most time you out automatically after a few minutes and definitely after you close down all browser sessions.

This means that if I forget to log out of the Web Panel or the PC crashes or there’s a power outage then the next user of my account (I share it) can pick up my session and do anything they like with my Dreamhost stuff.

As I say it doesn’t seem to be browser- or platform-dependent but I normally use IE8 with third party cookies disabled and session cookies always allowed.

I’ve tried this on Support but they say because it’s driven by cookies I must either log out or always delete all cookies on exit from the browser. I don’t want to do this just because this one application doesn’t behave properly. Am I being unreasonable? Does anyone have another solution?


#2

I agree that offering a choice of whether to remain logged in or not would be a better option, especially considering that the panel is the gateway to every site and user in your account.

In the meantime, you may consider adding the IP-based restrictions to your web panel account. You can set the access window for as short as 1 hour.


#3

Thanks. How would I add IP-based restrictions? I can’t see a likely option on my panel.


#4

top right -> edit profile


#5

Thank you. Having investigated, I don’t think this option would work for me as with my ISP my IP address changes at least once a day.


#6

Have you even tried? I use it even though my IP address changes. You can set the window as short as 1 hour. Using is basically the equivalent of adding another lock to the front door. It adds inconvenience to you, but increases security dramatically because there’s no longer a single point of failure.


#7

In case anyone from Dreamhost reads this, although the IP-based login restrictions are a great security improvement for the most important possible failure point, there are two issues:
[list=1]
[]Sometimes it takes a long time to get the email to confirm a new IP. If you are frequently using new IP addresses, this can be a big pain. In my experience, this happens about 10% of the time.
[
]There’s no way to see a list of which IPs have been approved and their expiry date. It would be great to be able to revoke permissions for some previously approved IP addresses. I usually set a short approval time, but occasionally have found that the IP address I set for 1 week is actually only going to be good for me for 1 day.
[/list]

It would also be great to have IP-based restrictions on shell accounts. Databases and the panel both have this possibility, but from what I can tell, shell accounts don’t.