Posts Tagged: security

Recent “Security Enhancements” in MIDAS

5 minute read time · Updated July 19, 2023 · First published April 19, 2016

As part of our ongoing commitment to security, you may notice that “Security Enhancements” often appears in the changelog when we release new builds.

In this blog post we’ll shed some light on some of the “security enhancements” that were recently introduced in MIDAS v4.11 and v4.12.

IP Change Detection

Starting with MIDAS v4.12, If a logged in user’s IP address changes whilst they are logged in, then the system will automatically log the user account out, forcing the user to log in again.

It’s rare that a user’s IP address would legitimately change mid-session, so this additional security enhancement will not be noticed by the majority of our users.

What it does do however is strengthen user sessions against a “session hijack“. In general terms, a “session hijack” is when a malicious attacker takes over a user account by gaining access to the unique identifying token (or cookie) of an active user session.

With the new IP Change Detection implemented in MIDAS v4.12, should a user fall victim to a session hijack, the session would be immediately invalidated as the originating IP address would suddenly change from the valid user’s IP address, to the IP address of the attacker.

→ Tip: User’s IP addresses are also logged in each MIDAS system’s Recent Activity Log

Shorter Cookie Persistence

We’ve all come across website with “Remember Me” or “Keep Me Logged In” tick boxes on login screens. These mean that you don’t have to remember your username & password for the site each time you come to log in. When you select this box, information is stored in a browser “cookie” and retrieved the next time you visit.

MIDAS has included a “Remember Me” tickbox on the login screen since v4.07 (September 2014). Previously, the cookie saved by your browser would persist until 1st January 2020 – some 4 years in the future!

This meant that if you were to log in to MIDAS today, you could come back to the same browser in a few years time, and still log in without needing to remember your credentials.

We felt this was a little too long for your browser to be retaining such data. Therefore, from MIDAS v4.12 the “Remember Me” option will only remember your details for a period of 90 days. If you don’t log in again within this period, you’ll have to manually enter your email address/password again the next time you do.

Why is this better? Well, it ensures that “dormant” user accounts (those not logged into for over 90 days) don’t have lingering login details persisting in client-side cookies.

Tip: MIDAS Administrators can choose to disable the “Remember Me” option completely. This may be done via MIDAS Admin Options → Manage MIDAS → Security

Improved Session Control

In MIDAS v4.11, we introduced a new security setting to automatically log out any users that have remained logged-in for more than a set number of hours. This setting may be found under MIDAS Admin Options → Manage MIDAS → Security → Session Control.

This is different to existing “inactivity” logout setting, which causes users to be logged off after a period of no activity. The additional “Always force logout after…” setting automatically logs users off after a set period of time, regardless if they are “active” or not.

Why is this useful? Well, browser extensions/addons exist which automatically “reload” a webpage at a recurring interval. This could potentially allow a user account to remain logged-in indefinitely, even if the “Inactivity forces logout after…” setting was set.

For example, if “Inactivity forces logout after…” setting in MIDAS was set to “1 hour”, then usually 1 hour after a user’s last interaction with MIDAS, they will be automatically logged off. However, if an addon/extension were setup to “reload” part of MIDAS every 30 minutes, this would look like “user activity” to MIDAS, and so the account would never be automatically logged out.

To combat this, the new additional “Always force logout after…” setting was introduced for v4.11. If your business usually runs 9am-5pm, you could set this setting to 8 hours. This will mean that no user account can remained logged in for more than 8 hours in total. So if a user was to log in at 9am and use a browser addon/extension to effectively remain logged in all day, they will still be automatically logged out of MIDAS at 5pm.

New Session Manager

MIDAS can be configured to allow concurrent logins to user accounts from multiple browsers/devices. When enabled, this allows a user to be concurrently logged into MIDAS from their laptop, phone, and tablet.

MIDAS v4.11 introduced a new “Session Manager“. This allows users to see other devices they’re currently logged in from. The session manager shows the IP address and browser of each session, and allows you to remotely log out!

Improved Password Change Behavior

MIDAS offers the ability to allow multiple concurrent logins to the same user account. In v4.11 we’ve enhanced this security. We’ve made it so that if a user changes their MIDAS password, all other devices they’re currently logged into from will be automatically logged out. Previously, changing a password from one device wouldn’t take effect on other devices a user was logged into until the next time they logged in.

Cryptographically-secure Random Number Generation

MIDAS stores passwords which are SHA512 hashed and randomly “salted”. The “randomness” of this “salt” has been improved starting with v4.11. Now, if the Perl module “Math::Random::Secure” is available on the server where a MIDAS system resides, MIDAS will utilize it to generate cryptographically-secure random numbers.

You might also be interested in:
Tips For Keeping Your MIDAS Secure
Tags: ,

Activity Logging Improvements

2 minute read time · Updated January 6, 2023 · First published December 15, 2015

The next update to our web based room booking and resource scheduling software is fast approaching, and throughout this month we’re giving you a “first look” at some of the new features and improvements coming in MIDAS v4.11…

Perhaps one of the most powerful, yet overlooked, tools in MIDAS for administrators is the Recent Activity Log.

The Recent Activity Log records all recent actions that have taken place within your MIDAS system. It records the date, time, IP address and user who initiated the action.

We’re making a couple of improvements in this area for v4.11 to help you better understand and keep track of how your scheduling system is being used.

In v4.11, the Recent Activity Log now also records all failed login attempts, including those on locked or suspended user accounts:

Audit Log - Failed Login Attempts
Audit Log – Failed Login Attempts

Additionally, as the Recent Activity Log can become large, we’ve added a filter so that you can quickly filter the log by different event categories. The 8 categories available cover the following areas: Bookings, Clients, Email, Invoices, Printing, Settings, System, and Booking Requests.

For example, filtering the Recent Activity Log to only show events in the “Bookings” category will then only show log entries relating to the addition, modification, deletion, and restoration of bookings. Similarly, filtering the log by the “System” category will only show system-related log messages, including successful & failed login attempts, password changes, logouts, backup generation and system updates.

MIDAS v4.11 will soon be generally available, however for now it is only available to Beta Testers. We’re currently looking for additional testers to help test and provide feedback/bug reports on this and future updates to our software before release. It’s free and no experience is required. Find out more here.

If you would like to be notified when v4.11 is fully released, then why not join our Mailing List?
Tags: ,

Improved Session Control

3 minute read time · Updated July 19, 2023 · First published December 14, 2015

The next update to our web based room booking and resource scheduling software is fast approaching. Throughout this month we’re giving you a “first look” at some new features and improvements coming in MIDAS v4.11.

We take a pro-active approach to security here at MIDAS, so we’re excited to provide you with greater control over your sessions in v4.11.

If the multi-session (Allow Multiple Logins By Users) feature has been enabled for your MIDAS system, you’ll be able to log in to your scheduling system from multiple devices simultaneously.

If this option has been enabled on your system, then whenever you log in, you’ll be able to click your name near the top of your screen to see a list of all devices/browsers you’re currently logged in from:

Session Control

The list will show when the last activity in MIDAS occurred from each device, as well as indicating the device’s IP and Browser/OS. The highlighted entry denotes your current session.

You can remotely log out any of these sessions by clicking/tapping the device’s adjacent “x” icon.

Other session improvements

We’ve also made a couple of other improvements in relation to sessions for v4.11:

Firstly, when changing your password, all other active sessions you’re currently logged into will automatically be logged out. This takes place across all your devices.

Secondly, we’ve provided a new administrative setting to force accounts to be logged out if they’ve been logged in for a lengthy period of time. This will happen regardless of whether any recent account activity took place. This setting complements the existing setting which allows sessions to automatically log out if they become “idle”. The new additional setting can be useful to combat situations where a user can effectively remain logged into MIDAS “indefinitely”. This can happen if they’re running a browser extension/addon which regularly refreshes their browser window. With this new setting, even if a user’s browser window is regularly refreshing so that they never hit the idle timeout period, the new “Always force logout after X hours” setting will still force their session to timeout if it’s been logged into for more than 1-24 hours.

This new setting can be accessed via MIDAS Admin Options → Manage MIDAS → Security. For more information, please see: Manage Security Settings

MIDAS v4.11 will soon be generally available, however for now it is only available to Beta Testers. We’re currently looking for additional testers to help test and provide feedback/bug reports on this and future updates to our software before release. It’s free and no experience is required. Find out more here.

If you would like to be notified when v4.11 is fully released, then why not join our Mailing List?
Tags: , ,

New Two-Factor Authentication

3 minute read time · Updated February 11, 2025 · First published August 18, 2015

Two-Factor Security We take a very pro-active approach to the security of our customer’s MIDAS systems and data, and we always strive to provide administrators and users alike with a wealth of security features and settings within our software.

→ Read our Tips for keeping your MIDAS secure

We’re further enhancing the security options available in our web based room booking and resource scheduling software by introducing optional two-factor authentication in MIDAS v4.10.

Enable two-factor authentication in MIDAS
Enabling two-factor authentication in MIDAS

What is Two-Factor Authentication?

Traditionally, when you access a website/app/online service which requires you to “log in”, all you need to provide is your username (or email address) and a password in order to authenticate your access.

Unfortunately, many people use the same credentials (username/password) over and over again for multiple websites/apps/online services. This means that if one of those services gets “hacked” and has a data breach and user’s credentials are exposed, an attacker could potentially then access all other websites/apps/online services the user uses.

Two-factor authentication combats this, by employing a secondary means of authentication in addition to the traditional username/password combination in order to authenticate your access to the website/app/online service when you login. This means that even if your username/password were compromised, an attacker couldn’t then use these on their own to gain access to your account.

How does two-factor authentication work within MIDAS?

Without two-factor authentication enabled in MIDAS v4.10, users simply login using their email address and chosen password. (A wealth of other customizable security features however are already built-in to MIDAS help prevent “brute force” attacks)

However, with the new optional two-factor authentication feature enabled in v4.10, users enter their email address and password as normal, but then MIDAS then emails the user a security code and presents a web page for this code to the entered. Once the user enters the code they’ve received in an email, the two-step login process will be complete and they will be successfully logged into MIDAS.

Two-factor login authentication for MIDAS
Entering a one-time code to complete your login

This ensures that in order to gain access and login to MIDAS, a user needs to know their MIDAS credentials and also have access to their own email account to retrieve a special security code upon each login.

As such, for two-factor authentication to be an effective security tool, users should ensure that they use a unique password for their MIDAS account (i.e. one which isn’t the same as the password they use to login to their own email account!)

For more information on the existing security settings and features available within MIDAS, please see the Manage Security Settings section of the help documentation.

Want to help shape and improve future MIDAS updates? Then why not consider becoming a Beta Tester? – it’s free, there’s nothing to install, and no technical knowledge is required!
Tags: ,