logo

The ConnectWise Control forum has moved to ConnectWise University! This forum has been locked and is in read-only mode. Click here for instructions on how to access the new forum.

Welcome Guest! You can not login or register.

Notification

Icon
Error

Options
Go to last post Go to first unread
minddragon  
#1 Posted : Sunday, February 8, 2015 4:49:27 AM(UTC)
minddragon


Rank: Newbie

Joined: 2/8/2015(UTC)
Posts: 10
United States
Location: Denver

If an Administrator logs into the Screen Connect portal via a User's PC, even after closing the browser, the user can navigate and access HOST functions under the administrator login.

There is no way to remotely expire all sessions.

Scott  
#2 Posted : Monday, February 9, 2015 2:10:00 PM(UTC)
Scott


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 3/28/2014(UTC)
Posts: 2,862
United States

Thanks: 3 times
Was thanked: 351 time(s) in 303 post(s)
If you want the auth cookie to expire when the browser closes, go into your web.config file on the server and find the following setting:

UsePersistentTicketCookie

Changing that from true to false will cause the authentication ticket to expire when the browser is closed.
ScreenConnect Team
minddragon  
#3 Posted : Tuesday, February 10, 2015 11:05:29 PM(UTC)
minddragon


Rank: Newbie

Joined: 2/8/2015(UTC)
Posts: 10
United States
Location: Denver

Originally Posted by: Scott Go to Quoted Post
If you want the auth cookie to expire when the browser closes, go into your web.config file on the server and find the following setting:

UsePersistentTicketCookie

Changing that from true to false will cause the authentication ticket to expire when the browser is closed.


Will that stay even after an update to newer versions?

Perhaps this belongs in "Feature Request" but it would be nice to have a tick box in Security Settings for this.
Scott  
#4 Posted : Wednesday, February 11, 2015 6:03:51 PM(UTC)
Scott


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 3/28/2014(UTC)
Posts: 2,862
United States

Thanks: 3 times
Was thanked: 351 time(s) in 303 post(s)
Yes, changing that setting will persist through version upgrades.

And I'll definitely add it to our enhancement request list.

Thanks!
ScreenConnect Team
Kuffy  
#5 Posted : Thursday, June 25, 2015 10:49:12 AM(UTC)
Kuffy


Rank: Advanced Member

Joined: 6/24/2015(UTC)
Posts: 36
United Kingdom

Thanks: 1 times
This isn't working with Chrome. I've changed the web.config to the following, and restarted services.

<add key="UsePersistentTicketCookie" value="false" />

But after closing Chrome, and re-opening, the session logged back in. No login details are saved on the browser.

IMO. this is a rather large security flaw, now present in 5.3.9074.5646. If, for whatever reason, Chrome is closed without logging out, full access is left.

Scott  
#6 Posted : Thursday, June 25, 2015 3:26:08 PM(UTC)
Scott


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 3/28/2014(UTC)
Posts: 2,862
United States

Thanks: 3 times
Was thanked: 351 time(s) in 303 post(s)
Code:

<add key="UsePersistentTicketCookie" value="false" />


Works just fine for me in 5.3 stable. The change will only apply to any auth cookies that are created after the web.config is saved, as any created before that would be set to be persistent.

If you log out after changing the value, log back in, close the browser, and relaunch it, do you remain auth'd?
ScreenConnect Team
Kuffy  
#7 Posted : Thursday, June 25, 2015 7:37:44 PM(UTC)
Kuffy


Rank: Advanced Member

Joined: 6/24/2015(UTC)
Posts: 36
United Kingdom

Thanks: 1 times
Hi Scott,

Yes, it still goes straight in. I've also deleted all cookies and cache to the beginning of time, in Chrome.
Sean  
#8 Posted : Tuesday, June 30, 2015 5:17:48 PM(UTC)
Sean


Rank: Administration

Medals: Level 3: Shirt off your back! Received 25 Thanks!

Joined: 4/16/2010(UTC)
Posts: 441
Location: Raleigh

Thanks: 5 times
Was thanked: 38 time(s) in 33 post(s)
If you use a browser other than Chrome on the same machine, what is the behavior. Also, what about using Chrome on another machine?
ScreenConnect Team
Kuffy  
#9 Posted : Tuesday, July 7, 2015 9:55:30 AM(UTC)
Kuffy


Rank: Advanced Member

Joined: 6/24/2015(UTC)
Posts: 36
United Kingdom

Thanks: 1 times
On this PC IE11 is fine, but not Chrome.

On another PC, Chrome is fine.
Sean  
#10 Posted : Tuesday, July 7, 2015 3:12:54 PM(UTC)
Sean


Rank: Administration

Medals: Level 3: Shirt off your back! Received 25 Thanks!

Joined: 4/16/2010(UTC)
Posts: 441
Location: Raleigh

Thanks: 5 times
Was thanked: 38 time(s) in 33 post(s)
OK, so it is isolated to Chrome on a specific machine. You may want to do a full reset or uninstall and reinstall Chrome.
ScreenConnect Team
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.