Security is one of our biggest concerns. However, all the security in the world doesn’t matter if it’s not used correctly. So in ExpressionEngine 2.8 we are making a few changes to ExpressionEngine’s security features to encourage good security habits.
First up is secure forms. Secure forms as a feature is commonly misunderstood, but it is critically important. It could be more verbosely referred to as Cross-Site Request Forgery (CSRF) protection. CSRF vulnerabilities are one of the most common security problems on the web. In 2.7 we made some changes to move these security checks out of add-ons and into EE proper. We tend to do things a little more strictly than required even if it means a small hit to usability, but the move highlighted just how strict we were. It was driving people to disable secure forms entirely. In response, the 2.8 implementation is more in line with industry standard CSRF protection, which should result in fewer submission errors. Along with this change, the setting for secure forms has been removed from the control panel. There is still a configuration override to disable it, but doing so on new sites is strongly discouraged.
$config['disable_csrf_protection'] = 'y';
Next, we removed the session length configuration overrides. Looking at how these were being used we realized that they were almost always set to extreme values. For those of you who were setting them to very large numbers, please consider using Remember Me instead. For anyone who has tried to set session length to zero in hopes of getting a session that ends when the browser is closed, you’ll be happy to hear that we’ve added a config override to do just that:
$config['expire_session_on_browser_close'] = 'y';
Lastly, the idle modal. The idle modal was added in 2.7 as a way to improve on the existing dropdown and get better control panel security on public machines. As a remote working company we spend a lot of time in coffee shops and libraries. We see people leave devices unattended on a daily basis. However, this behavior is not always desired on a home machine. Sometimes you want a session that lasts a long time. So, in line with the recommendation to use Remember Me for long lasting sessions, the login modal in ExpressionEngine 2.8 will no longer show if Remember Me is checked. Additionally, it will only end the control panel session, the front-end will behave as normal. And lastly, it will no longer redirect you to the login screen, even if it is left open for several hours or even days.