[Tickets #12136] Re: Session Timeout not enforced
noreply at bugs.horde.org
noreply at bugs.horde.org
Tue Apr 16 20:13:06 UTC 2013
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/12136
------------------------------------------------------------------------------
Ticket | 12136
Updated By | Michael Slusarz <slusarz at horde.org>
Summary | Session Timeout not enforced
Queue | Horde Framework Packages
Version | Git master
Type | Bug
State | Feedback
Priority | 2. Medium
Milestone |
Patch |
Owners |
------------------------------------------------------------------------------
Michael Slusarz <slusarz at horde.org> (2013-04-16 14:13) wrote:
Not to mention the idea of a session "timeout" being the last time you
accessed a server is a dangerous concept. If using something like
dynamic IMP, your session will NEVER time out. So your proposal
actually opens up additional security holes.
The only way to correctly "timeout" a session is to implement a time
limit AT THE TIME OF THE INITIAL AUTHENTICATION. This is what we
provide via the max_time configuration option. Anything else might
help in certain situations (e.g. a single user system) but will hurt
in other situations (a single user system where the user never closes
their browser).
More information about the bugs
mailing list