Posts Tagged: session

Improved Device Detection

Whenever your user account is logged into from a new or unfamiliar device, MIDAS can automatically alert you by email. This additional security feature helps keep your account secure by alerting you to suspicious logins. An unfamiliar login notification includes details of the browser, operating system, IP address, and – with our optional Geolocation addon – location, of the device that’s just logged into your account.

Until now, MIDAS has been unable to distinguish between more recent operating system versions. For example, between Windows 10 and Windows 11, or between MacOS Ventura and Sonoma.

This is because MIDAS has relied on the “User Agent” (UA) string that’s presented by the browser that’s logging in.

Here’s an example of a browser’s “User Agent” string presented to a web server:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36

There’s a lot of information there, but essentially, from this string MIDAS can derive that it’s a Windows (64 bit) device, and the browser is Google Chrome 123.

Here’s another example:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0

From this, MIDAS can derive that it’s a macOS device, and the browser is Firefox 124.

But wait… can’t MIDAS also determine the exact version of the operating system from these UA strings?

Mac OS X 10.15…. Catalina? …Big Sur? …Monterey? …Ventura?

Doesn’t “Mac OS X 10.15” imply macOS Catalina? ..and doesn’t “Windows NT 10.0” imply Windows 10?

Well, that used to be the case, but not any more!

Modern browsers now “clamp” the versions of more recent macOS/Windows operating systems reported by the User Agent string. For macOS operating systems, the User Agent string will report a maximum of macOS X 10.15. For Windows operating systems, a maximum of Windows 10 will be reported. Browsers no longer natively report the specific version of the operating system they’re running on.

This means that a Chrome browser running on either Windows 10 or Windows 11 will report “Windows NT 10.0”. Similarly, macOS Catalina (10.15), Big Sur (11), Monterey (12), Ventura (13), and Sonoma (14), will all report “Mac OS X 10.15”.

So Windows 10 and 11 are the same then?

In an effort to improve user privacy, browsers have decided to no longer reveal the specific operating system version a user is using when visiting a website, in order to make it harder for websites to “fingerprint” users.

“Fingerprinting” is a technique that some websites employ to uniquely identify and potentially track visitors.

So because of these changes to the way browsers report User Agent strings, it’s been difficult for MIDAS to provide a unfamiliar login notification containing details of exact operating system version that’s been used to login to an account.

But advancements in technology mean that we’ve now been able to make improvements to device detection for MIDAS v4.36.

Utilizing New “Client Hint” technology

Client hints are a set of HTTP request headers that provide useful information about the client such as device type and network conditions. This then allow servers to optimize what is served for those conditions.

Unlike the traditional “User Agent String”, client hints provide a more efficient and privacy preserving way of getting the desired information.

A web server can proactively request the client hint headers they are interested in. The browser can then include the requested headers in subsequent requests.

If the web server upon which a MIDAS system is running proactively requests either the “sec-ch-ua-platform-version” or “ua-platform-version” client hint header, MIDAS can receive details of the user’s operating system version.

Unfamiliar login notifications (if enabled) can then provide much more accurate information as to the operating system of the new device which has logged into your account.

Improved Device Detection in MIDAS v4.36
Improved Device Detection in MIDAS v4.36

Web Server Configuration

Because a web server has to proactively request these new client headers in order for browsers to respond to them, servers have to be configured accordingly.

All of our cloud-hosted nodes have been appropriately configured. Our client servers now proactively request the necessary Client Hint headers. This in turn means that all cloud hosted users can start to take advantage of these improvements to device detection and unfamiliar login notifications.

For self-hosted customers, a small configuration change to the web server when your MIDAS system is running from is required.

Details of the configuration change you’ll need to make can be found in our KB article, How to configure your server for Client Hints.

Improved Session Control

The next update to our web based room booking and resource scheduling software is fast approaching. Throughout this month we’re giving you a “first look” at some new features and improvements coming in MIDAS v4.11.

We take a pro-active approach to security here at MIDAS, so we’re excited to provide you with greater control over your sessions in v4.11.

If the multi-session (Allow Multiple Logins By Users) feature has been enabled for your MIDAS system, you’ll be able to log in to your scheduling system from multiple devices simultaneously.

If this option has been enabled on your system, then whenever you log in, you’ll be able to click your name near the top of your screen to see a list of all devices/browsers you’re currently logged in from:

Session Control

The list will show when the last activity in MIDAS occurred from each device, as well as indicating the device’s IP and Browser/OS. The highlighted entry denotes your current session.

You can remotely log out any of these sessions by clicking/tapping the device’s adjacent “x” icon.

Other session improvements

We’ve also made a couple of other improvements in relation to sessions for v4.11:

Firstly, when changing your password, all other active sessions you’re currently logged into will automatically be logged out. This takes place across all your devices.

Secondly, we’ve provided a new administrative setting to force accounts to be logged out if they’ve been logged in for a lengthy period of time. This will happen regardless of whether any recent account activity took place. This setting complements the existing setting which allows sessions to automatically log out if they become “idle”. The new additional setting can be useful to combat situations where a user can effectively remain logged into MIDAS “indefinitely”. This can happen if they’re running a browser extension/addon which regularly refreshes their browser window. With this new setting, even if a user’s browser window is regularly refreshing so that they never hit the idle timeout period, the new “Always force logout after X hours” setting will still force their session to timeout if it’s been logged into for more than 1-24 hours.

This new setting can be accessed via MIDAS Admin Options → Manage MIDAS → Security. For more information, please see: Manage Security Settings

MIDAS v4.11 will soon be generally available, however for now it is only available to Beta Testers. We’re currently looking for additional testers to help test and provide feedback/bug reports on this and future updates to our software before release. It’s free and no experience is required. Find out more here.

If you would like to be notified when v4.11 is fully released, then why not join our Mailing List?