Posts Tagged: security

Security Enhancements in MIDAS v4.42

5 minute read time · Updated April 29, 2026 · First published April 29, 2026
Security Enhancements

MIDAS v4.42 brings several important security enhancements. Here’s what’s changed and why it matters.

Argon2id now the preferred method of password hashing

For many years MIDAS has utilized “bcrypt” to store password hashes. While “bcrypt” is still accepted industry practice, newer encryption methods like “Argon2id” offer improved protection.

“bcrypt” is computationally expensive. This means it takes a significant amount of processing time to compute each password hash. bcrypt also includes a configurable “work factor” controlling how “computationally expensive” each calculation is.

Back in 2017, a “work factor” of 10 was widely considered by security experts to be sufficient at the time, and this is the factor we used in MIDAS.

By 2020, computing power had evolved and so “best practice” was to upgrade to a “work factor” of 12, which we transparently rolled out to MIDAS for our v4.25 update that year.

Now in 2026, we’re firmly in the quantum computing and AI age. While bcrypt is still considered secure, it is only “computationally expensive” from a processing (CPU) perspective.

Newer methods, like “Argon2id”, are both processor-intensive and memory-intensive, and so offer an even greater line of defense against brute-forcing password hashes.

We’ve implemented Argon2id for MIDAS v4.42. End users won’t see any difference, but password hashes stored in each MIDAS system’s database are now more secure than ever, and will be automatically updated the first time a user signs in to v4.42.

Self-Hosted customers: You’ll need to install the Perl module “Crypt::Argon2” if you wish to take advantage of this security enhancement. If this module isn’t available on your server, MIDAS will fall back to using bcrypt.

Option to sign out a user everywhere when maximum number of failed sign-in attempts reached

One of the existing security features in MIDAS is the ability for the software to automatically ‘lock’ accounts after a configurable number of failed sign-in attempts. Account access can then be quickly restored by an administrative user, or via a link that MIDAS will email to you if your account becomes locked in this way.

An account becoming ‘locked’ due to a high number of failed sign-in attempts prevents further sign-in attempts being made on that account. Until now, any existing active sessions that the user may have were allowed to continue unaffected.

For MIDAS v4.42, we’ve introduced a new security setting (found under MIDAS Admin Options → Security) that, if enabled and a user account becomes automatically ‘locked’ due to a high number of failed sign-in attempts, all active sessions for that account will be automatically terminated as well.

Suspending a user account instantly expires all active sessions for the user

If an administrator manually suspends a user account, MIDAS will now also expire all active sessions for that user. Previously, if an account was manually suspended, it wouldn’t affect any currently active sessions — now it does.

Security Fixes

We’ve also addressed a handful of security and account-related bugs for v4.42 which were discovered by our team…

Fixed: Possible to bypass forced password expiry

One of the “legacy” settings in MIDAS is the ability for administrators to routinely force users to change their password. Enabling this option isn’t something that we recommend. Indeed, this is considered bad practice, as forcing users to regularly change their passwords actually harms rather than improves security.

Despite that, some organizations still insist on routine password change policies, and therefore, we’ve had to retain this option in MIDAS.

MIDAS v4.42 fixes a small issue related to this, whereby since v4.39, if a user is forced to change their password due to it having expired, the user could easily bypass this requirement by simply hitting reload/refresh in their browser when prompted to set a new password. We’ve resolved this for v4.42.

Fixed: Weak passwords were allowed when passwords were reset

MIDAS includes a visual strength indicator when entering a new password. Very Weak, Weak, and Common passwords are blocked and aren’t allowed. However, a small bug existed that could allow a weak password to be chosen during a password reset. This has been resolved for v4.42.

Fixed: Not possible to add new user accounts in suspended state

Administrators have extensive control over the permissions that can be assigned to each individual user account. Individual user accounts can also be quickly ‘Suspended’ by an administrator. Until now, however, a small bug prevented new user accounts from being added in an initial ‘suspended’ state. This has now been resolved for v4.42.

3rd Party Deprecations and Updates

MIDAS includes a small number of 3rd party components, and it’s important to us that we use the latest versions of these wherever possible.

To that end, for MIDAS v4.42 we’ve updated jQuery to v4.00 and jQuery-Autocomplete to v1.5.0.

We’ve also deprecated qTip2, as this is no longer maintained by the developer. qTip2 was used in MIDAS for dynamic tooltips, like those you see when you ‘hover’ over the name of a venue in the booking grid.

Instead, we’ve built our own dynamic tooltip system from the ground up for v4.42.

Tags: ,

New “Stay Signed In” feature

4 minute read time · Updated April 4, 2025 · First published April 4, 2025

Have you ever hit the reload/refresh button in your browser whilst logged into MIDAS? Were you surprised to be bounced back to a login screen when you did? Well no more!

We’ve redesigned and improved the sign-in experience for MIDAS v4.39.

In previous versions, two options were offered on the sign-in screen..

Remember Me

Remember Me

Previously, the login screen included a “Remember Me” tick box. If this was selected when a user logged in, MIDAS would store their credentials in a cookie. The next time they accessed the login screen in the same browser, MIDAS would read this cookie and automatically populate the various fields on the login screen.

Auto-Login

Auto Login

An optional “Auto-Login” box was also present on the login screen whenever the “Remember Me” box was selected.

If “Auto-Login” was also selected, then the next time the user accessed the login screen, MIDAS would not only read the ‘remember me’ cookie and automatically populate the fields on the login screen, but also automatically click the “Login” button.

Drawbacks

There were a number of drawbacks to this approach. The primary drawback being that the “Remember Me” option stored a user’s credentials in a cookie. Whilst this data was encoded and obfuscated, it is no longer best practice to store such data in this manner.

The “Remember Me” option is also now somewhat outdated redundant. It was first introduced some 16 years ago – way back with MIDAS v2 in September 2009. Back then, password managers weren’t really a thing, and web browsers themselves didn’t provide a means to remember logins to websites.

Nowadays, all modern browsers off users the ability to remember credentials to websites and webapps. In addition, third party password managers are now also common place.

So it was time to give the “Remember Me” function a complete overhall.

In doing so, we also wanted to address a frustration which a number of our customers have reported over the years. If, when using MIDAS, they accidentally hit their browser’s reload/refresh button, MIDAS jumps them back to a login screen. (That is, unless they had selected both the “Remember Me” and the “Auto-Login” options when they initially logged in).

To combat this frustration, and to simplify the number of options on the MIDAS login screen, starting with v4.39 users will see a single “Stay signed in” option on their sign in screen.

The previous “Remember Me” and “Auto-login” options have been removed.

Staying signed in

Selecting this new “Stay signed in” option when signing in will keep the user signed-in to MIDAS on that browser until they sign out (or until their session times out, based upon the security settings setup by an administrator in your booking system.

Here’s how the new sign-in screen looks:

MIDAS sign-in screen with the new 'Stay signed in' option
MIDAS sign-in screen with the new ‘Stay signed in’ option

Like the previous “Remember Me” option, the new “Stay signed in” option also stores data in a cookie. However, unlike the former, the new “Stay Signed In” option only stores a randomly generated and unique session ID. No credentials themselves are stored in a cookie.

Refreshing and Reloading

Regardless of whether the new “Stay signed in” option is selected on a user’s sign-in screen, once the user has signed in, hitting refresh or reload in their browser will no longer jump the user back to a login screen – they will remain signed in!

With the “Stay signed in” option selected (and assuming the user isn’t accessing via a private/incognito browser window), the user can completely close their browser, and the next time they open it and access your MIDAS URL, they will still be signed in.

Security Considerations

Naturally, if the browser/device you use is shared by multiple people, then you should not select the “Stay signed in” option when signing in to MIDAS.

An administrative setting also exists to prevent the “Stay signed in” option from being shown to users.

An administrator may also still wish to force user’s sessions to expire if there is an extended period of no activity. To accommodate this, new settings have been added to the Session Control section of the security screen. This screen may be accessed via MIDAS Admin Options → Manage MIDAS → Security.

New Session Control security options in MIDAS v4.39
New Session Control security options in MIDAS v4.39
Tags: ,

Authenticator App Support

5 minute read time · Updated February 11, 2025 · First published November 25, 2024
Authenticator App

Two-Factor Authentication (sometimes referred to as 2FA) is a more secure method of logging into websites or online services.

Traditionally, when you “log in” to a website or online service, you enter your username (typically your email address) and password. Then you click a button, and if the details you enter are valid, you’re logged in.

Unfortunately, many people reuse the same credentials (username / password combination) again and again for multiple websites and online services. The danger of this is that if one of those services gets “hacked” or suffers a data breach where user credentials are exposed, an attacker could potentially then access all other websites and online services that that person uses.

Two-factor authentication combats this. It does so by employing a secondary means of authentication in addition to the traditional username / password combination in order to authenticate a user’s access.

This means that even if a user’s password has been compromised, an attacker couldn’t then this to gain access to someone’s account.

Two Factor Authentication in MIDAS

Since 2015, all MIDAS room booking systems have included optional two-factor authentication. If enabled, this adds an additional layer of account security to our software.

With Two-Factor Authentication enabled, each time a user logins in, a code is sent to their email inbox. The user must then enter this code into MIDAS in order to complete their log in.

But starting with MIDAS v4.38, we’re improving 2FA options and support in our software!

MIDAS v4.38 (and later) now support authenticator apps – including Google Authenticator and Microsoft Authenticator – as an alternative 2FA login option to email.

Per User Two Factor Authentication Settings

Previously, the 2FA option in MIDAS was a ‘global’ setting. This meant that it could be enabled or disabled for all user accounts at once. It was not possible to have ‘per account’ 2FA settings.

We’ve made this more flexible for MIDAS v4.38!

Now, administrators can set whether 2FA is enabled for each individual user account. The 2FA option for each account can also be set.

Available 2FA options are now:

  • Authenticator App
  • Email

Enabling 2FA Authenticator App Globally in MIDAS

To globally turn on 2FA for all users, administrators can go to MIDAS Admin Options > Manage MIDAS > Security. In the “Two Factor Authentication (2FA)” section, tick the “Enable Two-Factor Authentication For All Users?” box, and then select the “Authenticator App” option:

Global Two-Factor Authentication Options - now includes authenticator apps
Global Two-Factor Authentication Options – now includes authenticator apps

Click “Save Changes” and 2FA via Authenticator Apps will be enabled for all user accounts.

Enabling 2FA Authenticator App For Individual User Accounts

2FA options are also available on a per-user account basis. Administrators can enable, disable, or change the 2FA method on a user account by going to MIDAS Admin Options > Manage Users & Permissions.

Select the user account you wish to enable 2FA for, and choose “Authenticator App” from the “2FA Login” setting:

New per-user Two-Factor Authentication Options
New per-user Two-Factor Authentication Options

Then click “Save Changes”.

How 2FA via an Authenticator App Works

When 2FA authentication via authenticator apps has been enabled on a user’s account, the next time they login, they’ll be presented with a QR Code to scan with their authenticator app:

Setting up your authenticator app upon first login
Setting up your authenticator app upon first login

If they’re unable to scan the QR Code a ‘secret key’ is also provided which can be manually entered into authenticator apps.

The user’s authenticator app will then generate a 6 digit code which they can enter into MIDAS to complete their login.

The QR Code / Secret Key needs only to be scanned/entered into the user’s authenticator app once upon first use. For subsequent logins, the user will simply need to enter the 6 digit code generated by their authenticator app:

Entering a OTP generated by your authenticator app to complete login
Entering a OTP generated by your authenticator app to complete login

Supported Authenticator Apps

Popular FREE authenticator apps supported by MIDAS include:

However, any OTP authenticator app which generates Timed One-Time Passwords (TOTP) derived from a shared secret value and the current time should be compatible. TOTP codes are typically six digits long and change every 30 seconds.

Resetting 2FA

If a user looses their authenticator app, an administrative user in a MIDAS system can change the user’s 2FA method, or reset their authenticator token. By resetting a user’s authenticator token, the next time the user logs in, they’ll be presented with a brand new QR Code/Secret Key to enter into their authenticator app.

Availability

2FA login authentication has been available since MIDAS v4.10 (2015). However, this implementation is limited to authentication codes sent to users via email. 2FA could also only be enabled globally (for all user accounts)

2FA login authentication via either email or authenticator apps is available in MIDAS v4.38 or later. These options can be enabled globally, or an a per user account basis.

Tags: , , ,

Deprecating some outdated settings

5 minute read time · Updated September 3, 2024 · First published July 25, 2024

In MIDAS v4.37, we’re deprecating some outdated privacy and security settings.

In this post, we’ll outline what’s changing and explain the reasons behind the decision to remove these options.

“SSL Access” setting has been removed

SSL Access setting in MIDAS
SSL Access setting in MIDAS

In the early days of the World Wide Web, you connected to websites over “http”.

“http” connections were not secure and could be intercepted. So along came “https”, which allowed visitors to connect to websites over encrypted Secure Socket Layer – or SSL – connections.

However, adoption of “https” was initially slow by the majority of the World Wide Web. Primarily, this was due to SSL certificates being very expensive. Large financial institutions were naturally quick to jump on https. However, the price of SSL certificates put securing websites with https out of reach of the average webmaster. Especially when the cost to renew them every 1-2 years was factored in.

Now, as you may know, we’ve been developing our web based MIDAS room booking software for nearly 20 years now! When we first began to offer a “cloud hosted” booking system to customers (way back in 2007), SSL/https use around the web was not wide spread, and was expensive to implement.

Initially in 2007, we offered our cloud-hosted customers the option of being able to access their hosted MIDAS system over secure https. This was available via an optional (paid) addon for their scheduling system.

By June 2011, we’d recognized the importance and benefit of secure SSL connections for all our customers to their MIDAS systems. We therefore introduced better support for secure SSL connections with MIDAS v3.13.

As part of this, we added a new “SSL Access” setting to v3.13. This allowed administrators to control whether insecure http and/or secure https connections would be permitted to their MIDAS system.

In August 2012, we then took the further decision to include an SSL Certificate to enable secure connections for all our existing and future cloud hosted customers. At the same time, we enforced https connections to all hosted MIDAS system.

Consequently, the “SSL Access” option first introduced in MIDAS v3.13 became redundant for our cloud-hosted customers. Since 2015 and MIDAS v4.09, this option has no longer been available in cloud-hosted editions of our booking system.

In the following years, gradually the cost of SSL certificates reduced. Then in 2016, along came a game-changing service called “Let’s Encrypt“. Let’s Encrypt offered FREE SSL certificates for all. This finally allowed every webmaster the ability to “secure” visitor connections to their websites at zero cost.

In May 2018 we migrated all our cloud-hosted customer’s SSL certificates from expensive GlobalSign certificates to ones issued for free by Let’s Encrypt instead.

Now, in 2024, SSL/https certificates are the norm – in fact, all modern web browsers now alert you if you attempt to visit an insecure website via http.

So whilst we removed the “SSL Access” settings in cloud-hosted MIDAS systems back in 2015, we’re now also removing these settings for self-hosted customers starting with MIDAS v4.37.

“Allowed IP Range” setting has been removed (self hosted editions only)

Allowed IP Range setting in MIDAS
Allowed IP Range setting in MIDAS

The “Allowed IP Range” setting is one of the earliest security settings we provided in our room booking system. In fact, it was first introduced in v1.35 back in August 2007.

The setting allows an administrator to restrict access to their MIDAS system to an IP address or range.

This can be useful if a MIDAS system is hosted on a public-facing web server, which potentially could be accessed by anyone worldwide. The “Allowed IP Range” setting can be used to restrict access to users in your own country, organization, or to just you!

However, one of the limitations of this setting is that it only supports ipv4 address, and not ipv6 addresses.

Also, in the years since this setting was first introduced, other security and firewall products are available which provide greater control over access to websites, apps, and servers.

Therefore, starting with MIDAS v4.37, we have removed the “Allowed IP Range” setting in self-hosted editions.

If you’re a self-hosted customer and wish to restrict access to your MIDAS system by IP address you should consider other options to achieve this.

For instance, on Apache servers, you can easily allow/deny access by ip address/range in your httpd.conf or .htaccess files. For more information, please see Apache’s guidance on access control.

“Do Not Track (dnt)” has been superseded by “Global Privacy Control”

Honor user's Do Not Track preference setting in MIDAS
Honor user’s Do Not Track preference setting in MIDAS

“Do Not Track” – or ‘dnt’ for short – was an official HTTP header first proposed in 2009. It was intended to allow user to opt-out of tracking by websites.

By 2011, all major web browsers had implemented support for the proposed “Do Not Track” features.

In 2017, with the release of MIDAS v4.16, we included an “Honor user’s Do Not Track preference” setting.

If enabled (and if an end-user had also enabled the “Do Not Track” feature in their browser), MIDAS would not log the user’s IP address in the Recent Activity Log.

However, globally, recognition and support of the “Do Not Track” HTTP header by websites was poor. So much so that in January 2019, the “Do No Track” HTTP header was officially deprecated. A month later, Apple removed DNT support from their Safari browser.

Whilst some other browsers still continue to offer a “Do Not Track” setting, it has since been supersede by a new “Global Privacy Control” – or GPC – header.

At time of writing, Global Privacy Control is still classed as an “experimental” and “non standard” technology, and it’s behaviour may change in the future.

But for MIDAS v4.37, we’ll support both DNT and GPC features. The “Honor user’s Do Not Track preference” setting will be renamed to “Honor user’s privacy preferences” to reflect this.

It’s likely that in a future update we’ll fully drop support the deprecated “DNT” header. At time of writing though, as some browsers still support it, we’ll continue to support it too.

Tags: , , , ,