Hi together,
i see an security issue in the following scenario:
Let's say, we have an user for which are 2 sessions configured. Now the
user has been logged in into the guac-client and is connected to 1 session.
I see, that the user does bad things in his session and i want do kick it
off and disable his account. So i change his password and kick of the session.
But he's still logged in in the guac-client and immediately he can reconnect
the session.
In the documentation i didn't find a possiblity to kick the login into the
guac-client. The only option i found to influence the guac-client login is
the "api-session-timeout", but this option only affects on inactivity.
Maybe a new option "auto-session-logout" would be useful, which, if set, will
automatically kick off the guac-login if the session is closed. So he can't
login again as the password has been changed.
What do you think about that ?
best regards and keep on your good work
Michael
--
Michael Niehren __ _ powered by
/ / (_)__ __ ____ __
/ /__/ / _ \/ // /\ \/ /
/____/_/_//_/\_,_/ /_/\_\
