It is hard-coded to 2 minutes. We assume from the time that management has generated the token, browser should be able to start a session within this time period. It also means that if someone has already broken our first layer (HTTPS web session) of security, he/she has up to 2 minutes to break 64-bit keyed DES access token. Not sure if it is strong enough though, I'm looking forward to hearing from security experts in the community to comment on that.
Kelven -----Original Message----- From: David Nalley [mailto:[email protected]] Sent: Friday, April 20, 2012 6:48 PM To: [email protected] Cc: Development discussions for CloudStack Subject: Re: Security aspects of CloudStack console access On Fri, Apr 20, 2012 at 9:36 PM, Kelven Yang <[email protected]> wrote: >>> This is done by the expiration argument to the API call to setup the > session? > No, the expiration time is not set through API parameter, but generated > directly within management server. We don't want this to be configurable. > So it's hardcoded? What length of time is it set to? --David
