Comment #8 on issue 1552 by chipx86: Need option to expire cookies

We don't take security lightly, but you must understand that every corporate scenario we've seen so far has a Review Board server behind a corporate firewall/VPN, and so
we optimize for that.

I have a strong feeling that if we added a checkbox for this setting, it would not be used by more than one or two installs. Those installs are already in trouble, because, while security is important, we can't guarantee that Review Board, Django, Djblets, Pygments, Python, paramiko, mod_python, Subversion, Git, Apache, and every other thing in our stack is secure and free of bugs that would allow a user to take
control over a system.

If your setup is such that a stolen laptop or PDA can be used to access your Review Board server, then that's a security problem with your overall install, not the software. Just as you would hopefully not make your entire repository accessible to
the outside world without a VPN, you shouldn't make your Review Board server
accessible. And if you are accessing even your internal server with a portable computer/device, then it's your responsibility to secure it and make sure that, if it's stolen, they can't get access to anything. Many companies have a policy for
using encrypted filesystems for this very reason.

Sorry if it seems like security isn't a priority to us. It is. This is not a solution for it though, at least not one that will do anything other than give the illusion of
solving the problem.

You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:

You received this message because you are subscribed to the Google Groups 
"reviewboard-issues" group.
To post to this group, send email to
To unsubscribe from this group, send email to
For more options, visit this group at

Reply via email to