[Tickets #12136] Re: Session Timeout not enforced
noreply at bugs.horde.org
noreply at bugs.horde.org
Tue Apr 16 19:20:18 UTC 2013
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/12136
------------------------------------------------------------------------------
Ticket | 12136
Updated By | o+horde at immerda.ch
Summary | Session Timeout not enforced
Queue | Horde Framework Packages
Version | Git master
Type | Bug
State | Feedback
Priority | 2. Medium
Milestone |
Patch |
Owners |
------------------------------------------------------------------------------
o+horde at immerda.ch (2013-04-16 19:20) wrote:
> Do Michael's latest commits close this ticket?
I disagree strongly with the comments. Horde has no reliable session
inactivity timeout mechanism and this needs to be addressed. How can
you argue not to fix a security issue, because its hard to implement??
horde currently relies solely on gc_maxlifetime to discard inactive
sessions, which is not reliable!
see e.g.
http://stackoverflow.com/questions/1236374/session-timeouts-in-php-best-practices
More information about the bugs
mailing list