Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Log the activity of the users' sessions #934

Open
marien-probesys opened this issue Jan 16, 2025 · 0 comments
Open

Log the activity of the users' sessions #934

marien-probesys opened this issue Jan 16, 2025 · 0 comments
Assignees
@marien-probesys
Labels
ready ✅ You can work on this!
Milestone
Version 0.15

Comments

@marien-probesys
Copy link
Member

marien-probesys commented Jan 16, 2025
edited
Loading

Problem

For security reasons, it's important to know who has logged into Bileto and when. This would help administrators to determine if accounts have been compromised.

Solution

Allow administrators to see the activity of the users' sessions.

Specifications

Related OWASP document: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#logging-sessions-life-cycle-monitoring-creation-usage-and-destruction-of-session-ids

Record the activity of the users' sessions in database

We should log several events related to the sessions:

The logs must include at least this information:

  • the event timestamp
  • the source IP address
  • HTTP headers such as the User-Agent and Referer
  • the user id
  • the user email
  • a hash of the session ID

We must create a new SessionLog entity to store these information. The HTTP headers can be stored in a JSON array.

The user id must be stored as a foreign key, set to null on cascade. We store the email address in addition to prevent an attacker to erase his traces.

Display the activity of the users' session

For now, only the administrators will be able to see the users' activity. They must have the "Manage users" (admin:manage:users) permission.

The activity must be displayed in a new block of the user page, under the "Authorizations" section.

The logs must be displayed by session (if any) and chronologically. This can be challenging so as a first step, they can be displayed chronologically only. The session hash must be highlighted then, with a .badge for instance.

Log rotation

The App\MessageHandler\CleanDataHandler must delete the SessionLog entities:

  • after 1 month if the user relation is null (it means that the user has been deleted)
  • after 1 year otherwise in order to not keep this data indefinitely

Estimated time

2 - 3 days
@marien-probesys marien-probesys added this to the Version 1.0 milestone Jan 16, 2025
@marien-probesys marien-probesys changed the title Keep a history of the user logins Keep a history of the user sessions Jan 28, 2025
@marien-probesys marien-probesys changed the title Keep a history of the user sessions Log the activity of the users' sessions Jan 28, 2025
@marien-probesys marien-probesys added the ready ✅ You can work on this! label Jan 29, 2025
@marien-probesys marien-probesys self-assigned this Jan 30, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marien-probesys marien-probesys

Labels
ready ✅ You can work on this!
Projects
None yet
Milestone
Version 0.15
Development

No branches or pull requests
1 participant
@marien-probesys