Security Advisory
Please read this section carefully. Failing to adequately protect internal services may result in insecure setups!
After successfully verifying a remember-me cookie, the user has an authenticated session and receives his roles from the database/directory (+ optional static roles from the configuration). The set of roles implies a certain access level to target applications and internal Loginapp services.
- Check if "remember-me authentication" is an adequate security level for the target applications. If not, make sure access to corresponding target applications requires additional roles (e.g. via step-up).
- Check if "remember-me authentication" is an adequate security level for internal Loginapp services. If not, restrict access to corresponding services in Loginapp >> Application Settings >> Internal Services.
- The following internal service should usually not be accessible after only "remember-me authentication" (not a comprehensive list):
- Password change self-service
- Various token migration self-services (migrate to SMS, Cronto, etc.)
- User profile self-service
- Delete user self-service
- User representation