[horde] Horde form tokens

[Andrew Morgan]

On Thu, 9 Jul 2009, Chuck Hagenbuch wrote:

> Quoting Andrew Morgan <morgan at orst.edu>:
>
>> How does the CSRF work?  Maybe if I understood what was happening I could 
>> debug it further on my end.
>
> A token is generated for the action being taken (separate tokens for logout, 
> compose, etc.). It is stored in the session, and also put into the form data 
> for the action. When the action is submitted, the token has to be in the 
> user's session and not expired.
>
> The relevant code for your version is in imp/lib/IMP.php, in getRequestToken 
> and checkRequestToken.
>
> Looking there now, it looks like the FW3/IMP implementation uses seconds, not 
> minutes, so you might check that. HOWEVER - the error message your user is 
> getting indicates that the token isn't in their session at all, not that it 
> has timed out. That's why I asked about external auth or potential session 
> resets.

Okay, I'm checking with the user to see if they are logged out at the time 
this error occurs.

Side note - it seems there are 2 token_lifetime config parameters:

$conf['urls']['token_lifetime'] = 240;  (in horde's conf.php)
$conf['server']['token_lifetime'] = 1800;  (in imp's conf.php)

The horde parameters is specified in minutes and the imp parameter is 
specified in seconds.

Do these parameters both serve the same purpose?  Should I set them to the 
same value (in the appropriate unit of time)?  I'm not sure why I 
increased the horde value from the default 30 minutes to 240 minutes.  Are 
other folks using higher values, or should I stick to the defaults?

Thanks,
 	Andy