How to allow multiple logins

[wayner]

Add me to the list of folks that don't like the fact that you are stuck if you live a web UI session up on a browser. I am at work right now and I want to check something in my webUI. I am connected via VPN to my router/LAN but I can't access the web UI of the router since I left it up on a web page on one of my home PCs. So if I want to access it I will have to either (1) RDP into my home computer and kill the web browser session, or (2) start an SSH session and do the nvram unset commands. It would be SO much nicer if you could have multiple logins or a login would be timed out after X minutes, or whatever.

 

[john9527]

or a login would be timed out after X minutes

Setting a timeout is an option on the Administration > System page.....

 

[wayner]

Awesome - I will have to wait until I get home to do that since I can't seem to clear the nvram settings from an SSH session.

 

[wayner]

Setting a timeout is an option on the Administration > System page.....

I don't see that - I guess that is another reason to upgrade from my current version which is 374.40

 

[deddc23efb]

This is probably reviving the dead, but this problem is still an issue 382.1 An additional issue is that if you happen to leave your logged in session watching the bandwidth page under QoS, then the timed auto-logout doesn't work.

 

[strongster]

I use TomatoUSB as my primary, but setup Merlin on lots of routers, and am thinking about switching over to Merlin due to better features and support of newer hardware. In TomatoUSB, multiple logins are allowed at the same time. I know Asus folks limited this to a single login, perhaps due to a different GUI implementation from Tomato?

The reality for most users of Merlin firmware is that we probably leave a session open just to monitor bandwidth, i.e. a read-only session, and then login from somewhere else to also view bandwidth or make a change.

Merlin, I know you said case closed on this one - but how about a readonly user that allows multiple logins, and an admin user? If that's not possible, personally I'd be willing to take the risk of a glare condition between two sessions making changes on the same page, especially given TomatoUSB works this way already and I haven't seen any complaints regarding this on Tomato -- so maybe a flag that could be set at the user's own risk to allow multiple admin logins? Obviously beggars can't be choosers, and I don't want to fork the code and lose all of the future work you will be doing - just thought I would ask. Thank you for the awesome work you do on this firmware.

 

[skeal]

I use TomatoUSB as my primary, but setup Merlin on lots of routers, and am thinking about switching over to Merlin due to better features and support of newer hardware. In TomatoUSB, multiple logins are allowed at the same time. I know Asus folks limited this to a single login, perhaps due to a different GUI implementation from Tomato?

The reality for most users of Merlin firmware is that we probably leave a session open just to monitor bandwidth, i.e. a read-only session, and then login from somewhere else to also view bandwidth or make a change.

Merlin, I know you said case closed on this one - but how about a readonly user that allows multiple logins, and an admin user? If that's not possible, personally I'd be willing to take the risk of a glare condition between two sessions making changes on the same page, especially given TomatoUSB works this way already and I haven't seen any complaints regarding this on Tomato -- so maybe a flag that could be set at the user's own risk to allow multiple admin logins? Obviously beggars can't be choosers, and I don't want to fork the code and lose all of the future work you will be doing - just thought I would ask. Thank you for the awesome work you do on this firmware.

As far as security goes this is a bad idea. You don't want this poorly written webui open more than you have to period. The service httpd is not well written. Some have even suggested access from wan but again the code is weak in the webui people think with good user id and password and it should be ok. The web access to wan can be hacked. Using a read only access is just another weakness in this area.

 

[strongster]

As far as security goes this is a bad idea. You don't want this poorly written webui open more than you have to period. The service httpd is not well written. Some have even suggested access from wan but again the code is weak in the webui people think with good user id and password and it should be ok. The web access to wan can be hacked. Using a read only access is just another weakness in this area.

I'm not sure I follow how having multi-user access to the WEB UI is a security risk. I wasn't talking about WAN access to the GUI with a read-only user, just LAN side, and only if you manually setup this user. If you want to play with fire, GUI and SSH access from the WAN is available as an option - but it defaults to off, which is good. Are you concerned that having a read-only user would open up the router for hack attempts from the inside of your network on the LAN side from script kiddies in a way that is worse than it already is now with the admin user?