Proposal: delete BMCWeb sessions after some kinds of account changes

Alexander Tereschenko aleksandr.v.tereschenko at
Fri Feb 21 23:45:52 AEDT 2020

On 17-Feb-20 23:10, Joseph Reynolds wrote:
> This proposal is to enhance BMCWeb to terminate login session that are 
> associated with accounts that have incompatible changes.  I understand 
> this practice is allowed Redfish and recommended by OWASP.
This makes sense to me, with one specific note - see below

> - The [proposed][] ExpiredPassword D-Bus property and the 
> PasswordChangeRequired Redfish properties set to True.  Sessions where 
> this property is True are needed for a user to change their own password.

While not terminating these sessions (which certainly makes sense), 
should we restrict them to only allow for password change action 
starting immediately after that flag is set? I'm not sure how it works now.


More information about the openbmc mailing list