[dev] [commits] Horde branch master updated. 17c3c203f309f2d3170033708374d04eb77cb36b

[Michael M Slusarz]

Quoting Michael M Slusarz <slusarz at horde.org>:

> Quoting Gunnar Wrobel <p at rdus.de>:
>
>> The idea is to avoid storing nonces/tokens in the session.  
>> Currently Horde mainly uses timed tokens that are being remembered  
>> in the session on creation. As far as I can see it would be a  
>> reasonable alternative to sign a timestamp with a secret from the  
>> session and use the combination of both as a token. Validation of  
>> the token requires just the token and the secret from the session  
>> again. Time based expiration of the token only requires the token  
>> itself.
>
> This sounds like a promising idea.  Right now, we are tremendously  
> inefficient when it comes to storing tokens.  For example, using  
> Horde for even a small period of time can result in 50+ form tokens  
> being hauled around needlessly in the session data.  This was  
> something I was going to look into, and this solution would be a  
> preferred way of dealing with this problem.

I'd like to bump this idea to critical status.  Today I've been using  
the traditional interface for several hours.  Just checked my session  
and I have over 500! form_secrets entries, which is taking up 25 KB+  
of the session.  It is about half the contents of my current session.   
That is unacceptable.

Gunnar - let me know if I can do anything to help this along.

michael

-- 
___________________________________
Michael Slusarz [slusarz at horde.org]