Currently, OJS/OMP/OPS do not distinguish authentication levels for content vs. administration areas of the system -- once logged in, a user with administration access may wander between editorial and administrative areas.
The European Commission requires differentiated access in its Web Application Security Standard:
- Administration pages of an application containing sensitive non-classified information shall have stricter security requirements which may justify the need for a re-authentication and/or for a stronger authentication.
(This is tracked in our IT Security Plan as WASS.10.)
Recommended: implement re-authorization when entering Administration if this has not been done within a short time window (similar to Github's challenge for settings areas); consider the same for context settings.
How to test changes:
Note: This feature is currently only applied to admins
- This feature is disabled by default. Enable the feature by specifying how long (in minutes) admins can access the administration area after initial re-authentication before being required to re-authenticate again. This is done by setting a value greater than zero for
password_timeout under the [security] section of your app's config file.
- Log in as an admin
- Click Administration
- You will be presented with a screen requiring password confirmation to re-authenticate
- Enter your password
- The user will now have access to the administration area
- Observe that the user can perform admin actions
- Allow the number of minutes specified in step 1 to elapse
- Attempt to perform an action in the admin area, e.g. by clicking the Hosted Journals link; or perform a page refresh
- The user will be redirected to a screen requesting re-authentication
Pull Requests
pkp-lib: #12505
ui-library: pkp/ui-library#858
ojs: pkp/ojs#5449
omp: pkp/omp#2287
ops: pkp/ops#1250
Currently, OJS/OMP/OPS do not distinguish authentication levels for content vs. administration areas of the system -- once logged in, a user with administration access may wander between editorial and administrative areas.
The European Commission requires differentiated access in its Web Application Security Standard:
(This is tracked in our IT Security Plan as WASS.10.)
Recommended: implement re-authorization when entering Administration if this has not been done within a short time window (similar to Github's challenge for settings areas); consider the same for context settings.
How to test changes:
Note: This feature is currently only applied to admins
password_timeoutunder the[security]section of your app's config file.Pull Requests
pkp-lib: #12505
ui-library: pkp/ui-library#858ojs: pkp/ojs#5449
omp: pkp/omp#2287
ops: pkp/ops#1250