[Tickets #13448] horde_secret_key cookie does not use configured session timeout
noreply at bugs.horde.org
noreply at bugs.horde.org
Mon Aug 18 08:09:21 UTC 2014
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/13448
------------------------------------------------------------------------------
Ticket | 13448
Created By | horde at stefanseidel.info
Summary | horde_secret_key cookie does not use configured
| session timeout
Queue | Horde Framework Packages
Version | FRAMEWORK_5_1
Type | Enhancement
State | New
Priority | 1. Low
Milestone |
Patch | 1
Owners |
------------------------------------------------------------------------------
horde at stefanseidel.info (2014-08-18 08:09) wrote:
I'm not sure if this a bug or a feature, but according to
http://lists.horde.org/archives/horde/Week-of-Mon-20140203/050583.html
it seems it is not intentional:
in pear/php/Horde/Secret.php, a cookie is set, and the lifetime of the
cookie is set to 0, which means it is removed when the browser is
closed. This can be seen as a security feature, however, it is not
consistent with the rest of the horde session, because its cookie
timeout is set according to $conf['session']['timeout']. Attached is a
small workaround that honours this configuration setting, and with
this the horde session expires at the same time as the horde_secret.
horde at stefanseidel.info (2014-08-18 08:09) uploaded: hs.patch
http://bugs.horde.org/h/services/download/?app=whups&actionID=download_file&file=hs.patch&ticket=13448&fn=%2Fhs.patch
More information about the bugs
mailing list