Steemconnect sessions should expire when a password is changed
Repository
https://github.com/steemscript/steemconnect
Components
- Steemconnect saved sessions expiration
Proposal Description
This is a simple yet important suggestion on the Steemconnect session management.
Background
Steemconnect (SC) is the most widely used authorization tool on the Steem blockchain. To use SC for apps that have vote/comment functions (i.e., most apps like Busy, Steempeak), users first need to authorize their posting right to the app. This means that the app can do whatever the user can do with the posting key on behalf of the user. For instance, Steemauto can vote and make a scheduled post while a user is logged out.
Problem - saved sessions do not expire when a password is changed
In the current version of Steemconnect (SC2), even if a user changes the password on steemit.com, all saved SC sessions are still working.
I found this when my password was exposed accidentally and then I immediately changed my password. I opened the issue about a month ago, https://github.com/steemscript/steemconnect/issues/359 but couldn't get any response.
Some people may call this even a security bug. But, to be honest, not all internet services provide the automatic session expiration. But some services even provide an option to choose whether the user wants to make all other sessions expired, which is awesome!
Steem is quite different from email or other normal SNS/blog services. If a user changes the password to protect the account, there should be a way to make all other sessions expired. Otherwise, unwanted voting and posting can be made.
Mockups / Examples
- Currently, even if a password is changed, the saved sessions are still available.
- When the password is changed, the sessions should be expired. Either it should be shown with some icon in the above or the list of the session itself should be removed.
Benefits
Security is very important on the blockchain. If a user's private key is exposed, the user should immediately change the password. And if the password is changed, the saved Steemconnect sessions should also expired to protect the account's posting right. Nobody likes unwanted voting and comments.
Hello, @blockchainstudio. Thank you for being a consistent contributor to the suggestions category. We appreciate all of your efforts made to improve open source projects with reasonable ideas. That's said, I like the idea of having the login session expire once a user password has changed at least for security purposes. This is indeed a simple idea yet very important. While funds cannot be stolen from the current behavior of SC, a possible attacker still has the advantage of burning your VP/Manner.
The reason you might not have gotten any response from the PO or the project development team yet on the issue you created on the project repository could possibly be because they are working on a new version of SC (version 3) with a unique login feature which could possibly cover this idea you have suggested.
I'd recommend you to go through the project update on this post and base your subsequent suggestions towards them. Suggesting features focused on version 2 may be considered not valuable to the project since they already have decided to focus on implementing or developing a new/better version of the application.
Again, thank you for using Utopian and I'm looking forward to seeing more detailed and thoughtful idea contribution from you.
Your contribution has been evaluated according to Utopian policies and guidelines, as well as a predefined set of questions pertaining to the category.
To view those questions and the relevant answers related to your post, click here.
Need help? Chat with us on Discord.
[utopian-moderator]
Hi @knowledges, Thank you for your time but i somewhat disagree with what you wrote in several points and would like to make some suggestions for you too.
Suggestions should be evaluated by your assumption on future version? I believe many people even didn't recognize this security problem. While I think this is a very important idea, if you think differently that’s absolutely fine. Although I strongly don’t agree with the score of 34 (based on what I’m writing on this comment), it’s a really your decision and right.
I once left a comment on some SC3 post but didn't get reply either (this is generally the same for many other projects), which I totally understand because I also tend to forget to reply. But because of that, I think opening the issue on GH is quite enough and actually much more official way, unless you think they don't even need to monitor the GH of the current version if they're planning newer version. Maybe you didn't recognize, I always try my best to contact PO. By the way, you also didn't reply to my question before, again which is totally fine. But that's why I prefer GH issue than a comment on some old (3-month old in this case) post.
I just mentioned SC2 since there is no repository for SC3 yet. How you think I'm suggesting for the current version only? I can't believe this. Of course it's also for SC3 and any future product. Shouldn't it be already assumed?
While it takes quite a time to write a suggestion post (much less than my time value. I don't do this for voting.), I've been happily trying to help the several projects, but well. So I think I deserve to say this. You sometimes defend the PO too much and too strict on contributors. I'd appreciate if you could use more encouraging wording. Of course, I really appreciate and respect that you know many previous postings and try to find the duplicate and such. So don't take me wrong, and hope this could be a good suggestion for you too. Thank you.
Suggestions are evaluated based on the possible benefit or value they bring to the project you are suggesting the idea to. The proposed version (SC3) was first announced by @fabian who is one of the devs working on the current version, then a more in-depth or technical details of SC3 was published from their official blog account (@steemscript) which I believe have enough information to reveal the PO's intention towards working on a new version. IMO I don't think that the post age really matters. Sadly, it is pretty hard to get the PO or project maintainers to respond to issues easily or quickly.
I am sorry if you find my comment feedback not encouraging or think that I am trying to defend the PO. I was only trying to give some helpful feedback with no intentions of being subjective.
Most of the time, we appreciate the PO's input on suggestions contributions like this one. Usually, this gives us (the reviewer) a better understanding of the PO's intention towards the proposed idea and the benefit the idea could bring to the project. Not having the PO's input or acknowledgment sometimes makes the evaluations process stiff, especially when the PO had already announced the development of another version of the app. That's said, I appreciate your kind effort for creating an issue on the project repository for each bug/idea report.
Thank you for your review, @knowledges! Keep up the good work!
zorba님의 [2019/2/22] 가장 빠른 해외 소식! 해외 스티미언 소모임 회원들의 글을 소개해드립니다.
sbi4님의 Weekly Upvotes Report
@blockchainstudio님 곰돌이가 3.6배로 보팅해드리고 가요~! 영차~
gomdory님의 곰돌이 일기장 2월 23일 - 2배 보팅 이벤트 종료 다시 50%로
짱짱맨 호출에 응답하였습니다.
Congratulations @blockchainstudio! You have completed the following achievement on the Steem blockchain and have been rewarded with new badge(s) :
Click here to view your Board
If you no longer want to receive notifications, reply to this comment with the word
STOP@blockchainstudio You have received a 100% upvote from @intro.bot because this post did not use any bidbots and you have not used bidbots in the last 30 days!
Upvoting this comment will help keep this service running.
Korean: 스팀커넥트의 또다른 문제점 중 하나가 패스워드를 변경해도 저장된 세션이 유효하다는 점입니다. 사실 모든 인터넷 서비스들이 패스워드를 변경했을때 저장된 세션이 만료되는 것을 지원하지는 않지만 지원하는 경우도 많고 특히 스팀잇같은 경우는 반드시 세션만료가 지원되어야한다고 생각합니다. 물론 스팀커넥트 저장된 세션으로 할 수 있는 일은 포스팅키로 할 수 있는 일들뿐이긴 하지만 그래도 키가 유출된 것 같아 애써 패스워드 변경했는데 여전히 저장된 세션으로 포스팅과 보팅을하고 다닐 수 있다는 게 좋은 것은 아니죠.
Hi @blockchainstudio!
Your post was upvoted by @steem-ua, new Steem dApp, using UserAuthority for algorithmic post curation!
Your post is eligible for our upvote, thanks to our collaboration with @utopian-io!
Feel free to join our @steem-ua Discord server