[Cubicweb] Security on CubicWeb

Nicolas Chauvat nicolas.chauvat at logilab.fr
Wed Jan 2 15:23:34 CET 2013


On Wed, Jan 02, 2013 at 03:00:38PM +0100, Adrien Di Mascio wrote:
> - DOS: CW doesn't provide any builtin tool to protect you.

If you use postgresql in the back-end, you can start by having a look
at statement_timeout()
http://www.postgresql.org/docs/current/static/runtime-config-client.html

We should probably add this as a configuration option to CW, in order
to have it automatically configure sessions timeouts depending on the
user connected.

It could look like this in the configuration file:

  anynomous-sql-session-timeout=30s
  authenticated-sql-session-timeout=1min
  admin-sql-session-timeout=0

Should I add a ticket ?

-- 
Nicolas Chauvat

logilab.fr - services en informatique scientifique et gestion de connaissances  



More information about the Cubicweb mailing list