Topic: Security improvements
I have some suggestions to improve Wialon more secure:
1. Set minimum acceptable password lentgth 8 characters
2. Setting minimum password strength for each user (or at least for all users same minimum strength in system)
3. A functionality to make users disable in case of reaching a threshold number of failed logins (it can be editable)
4. Logging all unsuccessful login tries and show unsuccessful login tries after a successful login in system to user
5. Setting maximum concurrent active sessions for each user
6. We all know that Wialon sends avl_evts to it's server and it keeps session alive (preventing session expiration after 300 seconds of inactivity). It would be great if we have an option for each user (or whole system) to tell the system that should consider avl_evts as a request for keeping session alive or not. I mean as this command is a automatic command and is not executed by user, we can exclude it from commands that keep session alive. Is this situation in case that a user doesn't use Wialon then no other command than avl_evts will be executed and then system can close the session after 300 seconds. (As I explained it can be an option and system administrator can set system to consider avl_evts as user activity or not)
7. We have Active sessions for IP in admin panel but we can't set it less than 10, it would be better id admin can set any number like 3 or 1. The IP blocking time out is not editable.
8. Now, a top user can't close an user's sessions. You just can change its password to close all sessions. It's recommended to change the system in a way that if you make user disable then system automatically and immediately close all sessions related to that user.