Proposal: delete BMCWeb sessions after some kinds of account changes

Joseph Reynolds jrey at
Tue Feb 18 09:10:01 AEDT 2020

This proposal is to enhance BMCWeb to terminate login session that are 
associated with accounts that have incompatible changes.  I understand 
this practice is allowed Redfish and recommended by OWASP.

Login sessions should be deleted when associated with the following 
account changes:
  - Account is deleted, renamed, or expired.
  - Account [group role][] changes to not include "web".

Login sessions can remain after the following account changes:
  - Account Role changes.  The new role will be used for the next 
operation, next use of that session.
- The [proposed][] ExpiredPassword D-Bus property and the 
PasswordChangeRequired Redfish properties set to True.  Sessions where 
this property is True are needed for a user to change their own password.
- The UserLockedForFailedAttempt D-Bus property.  This property may 
become true during a brute force attack, and it should not cause denial 
of service to existing logged in users.

- Joseph

[group role]:
[Redfish spec]:

More information about the openbmc mailing list