[Tickets #12136] Session Timeout not enforced
noreply at bugs.horde.org
noreply at bugs.horde.org
Fri Mar 22 13:01:49 UTC 2013
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/12136
------------------------------------------------------------------------------
Ticket | 12136
Created By | o+horde at immerda.ch
Summary | Session Timeout not enforced
Queue | Horde Framework Packages
Version | Git master
Type | Bug
State | Unconfirmed
Priority | 2. Medium
Milestone |
Patch |
Owners |
------------------------------------------------------------------------------
o+horde at immerda.ch (2013-03-22 13:01) wrote:
Currently horde relies only on session.gc_maxlifetime to enforce session
timeouts.
Especially on systems where gc_probability needs to be low for
performance reasons or on low traffic servers this is a serious
problem, since sessions might be significantly longer valid, than it was
intended by the admin by setting conf['session']['timeout'].
Therefore we should always check the last modification of the
session and deny authentication if the session should have timeouted.
still working on a patch...
More information about the bugs
mailing list