Session Security and Login Protection

Overview

Server Scout takes security seriously, implementing multiple layers of protection to safeguard your monitoring dashboard and server data. This article explains the security measures in place and provides best practices for maintaining secure access to your monitoring infrastructure.

Session Cookie Security

Server Scout employs several security measures to protect user sessions from common web vulnerabilities.

HttpOnly Flag

All session cookies include the HttpOnly flag, which prevents client-side JavaScript from accessing session data. This critical security measure mitigates cross-site scripting (XSS) attacks that attempt to steal session cookies, ensuring that even if malicious scripts execute in your browser, they cannot access your authentication credentials.

SameSite Attribute

Session cookies are configured with the SameSite attribute to prevent cross-site request forgery (CSRF) attacks. This ensures that session cookies are only sent with requests originating from the same site, blocking malicious websites from making unauthorised requests on your behalf.

Server-Side Session Storage

Sessions are stored securely on the server rather than in client-side cookies. Only an opaque session identifier is stored in your browser's cookie, with no sensitive data exposed. This approach ensures that even if someone intercepts your session cookie, they cannot extract meaningful information about your account or servers.

Session Expiry

Sessions automatically expire after seven days of inactivity, requiring users to re-authenticate. This time-limited approach reduces the risk of unauthorised access from abandoned sessions or compromised devices.

Login Protection Mechanisms

Password Security

Server Scout never stores passwords in plain text. All passwords are hashed using industry-standard cryptographic algorithms before storage, ensuring that even server administrators cannot view your actual password. This means that if you forget your password, it must be reset rather than retrieved.

Password Reset Flow

The forgot password functionality generates a secure, time-limited token valid for one hour. This token is emailed to your registered email address, providing a secure method for password recovery whilst minimising the window for potential abuse.

Here's how the reset process works:

1. Navigate to the login page and click "Forgot Password"
2. Enter your registered email address
3. Check your email for the reset link (expires in 60 minutes)
4. Follow the link to create a new password
5. Log in with your new credentials

Administrator Password Resets

Administrators can initiate password resets for team members, generating temporary passwords that must be changed upon first login. This feature ensures that team members can regain access whilst maintaining security protocols.

Cross-Site Scripting (XSS) Prevention

The Server Scout dashboard utilises HTML tagged template literals that automatically escape all interpolated values. This prevents malicious scripts from executing in the browser, even if somehow injected into the system. All user input and data display is sanitised to prevent XSS attacks.

Security Best Practices

Use Strong, Unique Passwords

Create passwords that are:

• At least 12 characters long
• Include a mix of uppercase, lowercase, numbers, and symbols
• Unique to Server Scout (not reused from other services)
• Consider using a password manager to generate and store complex passwords

Individual Account Management

Never share login credentials between team members. Instead:

1. Create individual accounts for each team member
2. Assign appropriate permission levels based on roles
3. Remove access promptly when team members leave
4. Regularly audit user accounts and permissions

Secure Session Management

When accessing Server Scout:

• Always log out when using shared or public computers
• Avoid saving passwords in browser autocomplete on shared devices
• Close browser tabs completely after finishing monitoring tasks
• Be aware that sessions expire after seven days of inactivity

Monitoring Access

Regularly review login activity and user accounts in your Server Scout dashboard. Remove unused accounts promptly and investigate any suspicious login attempts. If you suspect unauthorised access, change passwords immediately and contact support if needed.

By following these security practices and understanding the protection mechanisms in place, you can confidently monitor your servers whilst maintaining robust security standards.