[Tickets #12136] Re: Session Timeout not enforced

noreply at bugs.horde.org noreply at bugs.horde.org
Tue Apr 16 19:20:18 UTC 2013


DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/12136
------------------------------------------------------------------------------
  Ticket             | 12136
  Updated By         | o+horde at immerda.ch
  Summary            | Session Timeout not enforced
  Queue              | Horde Framework Packages
  Version            | Git master
  Type               | Bug
  State              | Feedback
  Priority           | 2. Medium
  Milestone          |
  Patch              |
  Owners             |
------------------------------------------------------------------------------


o+horde at immerda.ch (2013-04-16 19:20) wrote:

> Do Michael's latest commits close this ticket?

I disagree strongly with the comments. Horde has no reliable session  
inactivity timeout mechanism and this needs to be addressed. How can  
you argue not to fix a security issue, because its hard to implement??

horde currently relies solely on gc_maxlifetime to discard inactive  
sessions, which is not reliable!

see e.g.  
http://stackoverflow.com/questions/1236374/session-timeouts-in-php-best-practices





More information about the bugs mailing list