Can i set the session expire time for admin or normal user?

ByeongWook_Jeon · April 27, 2023, 11:20pm

Our Security Team found a security vulnerability on my blog(ghost).

After login by admin user, there is not any action(idle) for long time. But the login session be maintained.

cuongtran · April 30, 2023, 4:27am

Try this on config.production.json for 2 days expire.

"spam": {
        "user_login": {
            "minWait": 600000,
            "maxWait": 604800000,
            "lifetime": 172800,
            "freeRetries": 4
        }
}

ByeongWook_Jeon · May 2, 2023, 1:19am

Thank you

Could you please tell me the meaning of “minWait”, “maxWait”, “Lifetime” and “freeRetries”?
And for testing, I want to set the expiration time to 1 minute.
Does this affect admin users?

Kevin · May 2, 2023, 11:37am

Those config settings are for adjusting the brute-force protection, they won’t change session lifetimes.

Staff user session lifetimes are hardcoded and can’t be changed via config.

ByeongWook_Jeon · May 7, 2023, 10:31pm

Thank you for answer.
Dose it mean the session timeout period is 6 months?
(maxAge: constants.SIX_MONTH_MS)