[horde] Link only valid for 30 minutes behavior with log out

[Gunnar Wrobel]

Quoting Michael J Rubinsky <mrubinsk at horde.org>:

> Kareem Dana <kareem.dana at gmail.com> wrote:
>
>> If I'm logged into horde, but idle for a while then come back and hit
>> log
>> out. I get the following message:
>>
>> This request cannot be completed because the link you followed or the
>> form
>> you submitted was only valid for 30 minutes. Please try again now.
>>
>> I understand the reason for having this when someone has been idle for
>> a
>> while, but I think when they hit log out and only log out, horde should
>> log
>> the user out regardless. Instead, it refreshes my session and I'm back
>> to
>> fully logged in and have to hit log out a second time. It can even
>> improve
>> security if a user hits log out, just assumes it will log them out and
>> either leaves the pc right away or doesn't pay attention to what page
>> loads
>> next. I've done that from time to time. Any thoughts on this?
>> --
>> Horde mailing list
>> Frequently Asked Questions: http://horde.org/faq/
>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>
> This is to prevent logging a user out if they click on a malicious  
> logout link someone may have crafted to your Horde server on a  
> webpage/email etc... automatically logging the user out defeats the  
> purpose of this feature.

Indeed. A decent protection against such cross-site request forgery  
(http://en.wikipedia.org/wiki/Cross-site_request_forgery) is the use  
of a token - which we do here. But why does the token need to time out?

Cheers,

Gunnar

> --
> Mike
> Sent from mobile
> --
> Horde mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: horde-unsubscribe at lists.horde.org

-- 
Core Developer
The Horde Project

e: wrobel at horde.org
t: +49 700 6245 0000
w: http://www.horde.org

pgp: 9703 43BE
tweets: http://twitter.com/pardus_de
blog: http://log.pardus.de