[horde] Horde imp logging out
Andrew Morgan
morgan at orst.edu
Tue Mar 27 16:51:17 UTC 2007
On Tue, 27 Mar 2007, Laura McCord wrote:
> Won't this leave us completely open to session hijacking if I set it to
> false?
You can set:
$conf['auth']['checkbrowser'] = true;
which should verify that the browser doesn't change between requests.
If you are using cookies ($conf['session']['use_only_cookies'] = true;),
then someone would have to get the user's cookie in order to hijack their
session anyways. Plus, I think Horde rotates the session key on every
page load.
I'd prefer to check IP addresses, but a lot of people sit behind multiple
proxy servers (AOL does this I know) which break this kind of spoofing
check.
Andy
More information about the horde
mailing list