[Tickets #12136] Re: Session Timeout not enforced
noreply at bugs.horde.org
noreply at bugs.horde.org
Tue Apr 16 19:53:07 UTC 2013
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/12136
------------------------------------------------------------------------------
Ticket | 12136
Updated By | Michael Slusarz <slusarz at horde.org>
Summary | Session Timeout not enforced
Queue | Horde Framework Packages
Version | Git master
Type | Bug
State | Feedback
Priority | 2. Medium
Milestone |
Patch |
Owners |
------------------------------------------------------------------------------
Michael Slusarz <slusarz at horde.org> (2013-04-16 13:53) wrote:
You have yet to explain HOW it is a "security issue" when, for
example, a session lasts 35 minutes and the session timeout value is
actually 30 minutes. What about those extra 5 minutes makes it a
"security issue"?
We don't guarantee a session will automatically timeout at 30 minutes
and 1 second, and why would we? Session timeouts are not (and should
not) be an exact value. Session timeouts are there to prevent a
SINGLE attack vector: someone manages to obtain your session
credentials/ID (the assumption being that this takes time) and can
then use this to access an unexpired session at some point in the
future. Having a session persist 5-10 minutes beyond its timeout
value does not materially affect/change this vector.
Those links you provided are not helpful. You absolutely do NOT want
to be setting/changing a "timestamp" in your session every page
access. Yikes.
More information about the bugs
mailing list