Good evening everybody!
Tonight I noticed that an automatically locked dashboard still shows the last dashboard used behind the log in faceplate. When I log off, the log on faceplate is shown on an empty dashboard.
Is this a setting that I missed? I checked the config, but I am unable to find a setting what to display for auto lock. If it is default behavior, I would like to make a wish to change it for improving security. But not, before I am sure that is not a setting.
Thanks,
Joris
There is no setting as there is no autolock. How are you achieving that ?
Okay, then something went wrong. First of all, I am glad that there is no such setting. 
What I did was work on NodeRed on tab1. Then for a long time worked on other tabs reading and left the laptop unused for an hour.
I've looked in the logs of Node-RED, and there are no records of date datetime. Let's assume it is a one time thingy.
I had this problem just again.
My laptop went to powersave mode while the browser was still open and logged in to Node-RED.
When the system was up again. The browser (FF) showed the log in screen above the flows.
I use FireFox 78.3 Node-RED 1.13 on a Raspberry Pi with Raspberry Pi OS (Raspbian).
I checked the logs, but no errors from Node-RED. For me it personally not a problem, it seems to me a security risk. A logged off system should not display data.
I suspect that was the browser caching the page, nothing to do with node-red.
Are you sure, or guessing. Even when it is done with the browser, shouldn't be a way that Node-RED disables this caching. This is the first webbased application I've seen that has this issue. Therefore I think that there should be a way to solve this.
Before it gets browser brand specific. I had this problem first on a Windows 10 with Chrome. This was Debian with Gnome and FireFox.
This is nothing to do with caching. If the login session expires whilst the editor is open the login dialog appears.
The fact you can still see the flows in the background has never been highlighted as an issue.
If you were in the middle of working on the flows and the session expired, you wouldn't want it to discard all your work - you'd want a chance to login back in so you could save your work.
We could blur the background when the dialog is open to obscure the flows, but all that information would still be readily accessible using the browser developer tools.
One option would be to have a timeout on that dialog - if it isn't submitted within X minutes then reload the page to flush the flow data (and lose any undeployed changes). (But only do that if there is no default user, or that user doesn't have at least read permissions.)
Would need to think through what that would mean for those who embed nr. Also whether any of that behaviour should be customisable.
I think that an auto log off with loss of data is a good add-on regarding some security rules. For some areas it is mandatory that a server-program logs you off after some inactivity. SAP systems have this option as well. It will log you off with loss of data local to avoid not monitored client usage.
Copyright OpenJS Foundation and Node-RED contributors. All rights reserved. The OpenJS Foundation has registered trademarks and uses trademarks. For a list of trademarks of the OpenJS Foundation, please see our Trademark Policy and Trademark List. Trademarks and logos not indicated on the list of OpenJS Foundation trademarks are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.
The OpenJS Foundation | Terms of Use | Privacy Policy | OpenJS Foundation Bylaws | Trademark Policy | Trademark List | Cookie Policy
