PDA

View Full Version : tivoweb password protect session timeout



NerdCat
14-04-2011, 03:21 PM
Ive got my TiVo series 1 (Australia) set up with TivoWeb userneame password protection using a port forward through my router. The TivoWeb config is set up with LAN access not password protected.

This all works as expected and Im not prompted internally, but I am externally.

Howver, the session never seems to time out. That is I can connect from my PDA or work PC, for example, and Im prompted for credentials as expected. But from that point on Ime never prompted again. This is true even if I leave the devices overnight, and even in the case of my PDA if its dicsonnected from the internet for seveal hours.

If I restart TivoWeb it makes no difference. But if I restart TiVoWeb after first changing the configured password, it re-prompts. So the authentication is obviously working. And something is obviously storing the credentials.

However its not browser-specific. If I clear the browser cache (firefox) and cookies, no difference. Same on my PDA (Android).

So Im wondering if Tivoweb somehow recognises requestors are lets them in.

Does anyone know how or if the session timeout for tivoweb works, and when I might expect to be re-prompted for credentials ? Obviously Id like a timeout for when I access remotely from an untrusted or public PC.

petestrash
17-04-2011, 11:33 AM
Long time since I have played around the guts of TW, and cannot remember any timeout options. TiVoweb was not designed from the ground up for external access, it was added later without much thought for security.

You might want to have a look at the support thread (http://www.dealdatabase.com/forum/showthread.php?t=38725) and development thread (http://www.dealdatabase.com/forum/showthread.php?t=44756) for your issue.

An improvement might be just changing the port TiVo listens to by changing port = 80 in tivoweb.cfg to a non standard port (still not safe, but better than you currently have).

Or even running a Secure SSL Reverse Proxy for TivoWeb (http://www.tivohelp.com/archive/tivohelp.swiki.net/83.html).

Peter.

petestrash
17-04-2011, 11:33 AM
Long time since I have played around the guts of TW, and cannot remember any timeout options. TiVoweb was not designed from the ground up for external access, it was added later without much thought for security.

You might wabt it have a look at the support thread (http://www.dealdatabase.com/forum/showthread.php?t=38725) and development thread (http://www.dealdatabase.com/forum/showthread.php?t=44756) for your issue.

An improvement might be just changing the port TiVo listens to by changing port = 80 in tivoweb.cfg to a non standard port (still not safe, but better than you currently have).

Or even running a Secure SSL Reverse Proxy for TivoWeb (http://www.tivohelp.com/archive/tivohelp.swiki.net/83.html).

Peter.