On Tue, Apr 7, 2020 at 1:08 PM jeremims <[email protected]> wrote:
> Hi everybody. > > I have a fresh install of guacamole on debian 10.3 tomcat 9 and Guac 1.1, > ldap (for active directory) and otp extension. > > I have some security questions with RDP connexion : > > User is connected on windows server over guacamole in Chrome or Firefox. > Windows logoff , close navigator, open navigator with url of the last rdp > session. > guacamole start a news logon in windows without guacamole login > request. > > I try to use in guacamole.propertie : api-session-timeout:1 or 0. but > nothin > to do ... > > This property is set in minutes, and I doubt that 0 triggers an immediate logoff, so the lowest value you can get is probably 1, which means you have to wait at least 1 minute for the session (token) to expire. > It's an enormous security hole ! > No, it's not. The authentication mechanism within Guacamole Client issues tokens that have a lifetime on them, configured in minutes. These tokens expire periodically - by default, every hour - but, unless the user logs out, or the token expires, the user can re-launch the browser with that session. This is fairly normal behavior when it comes to websites - when you launch Gmail.com and log in to your Google account, you can close your browser completely and re-launch it and you don't have to log back in. Most web sites work this way. > > do you have the same behavior ? > > Yes, I experience the same behavior, and I use the tool with this behavior in mind. If I want to log off, I go to the menu and select Log Off. -Nick
