[horde] Link only valid for 30 minutes behavior with log out

Michael J Rubinsky mrubinsk at horde.org
Thu Jun 23 13:55:34 UTC 2011 

Quoting Gunnar Wrobel <wrobel at horde.org>:

> Quoting Michael J Rubinsky <mrubinsk at horde.org>:
>
>> Kareem Dana <kareem.dana at gmail.com> wrote:
>>
>>> If I'm logged into horde, but idle for a while then come back and hit
>>> log
>>> out. I get the following message:
>>>
>>> This request cannot be completed because the link you followed or the
>>> form
>>> you submitted was only valid for 30 minutes. Please try again now.
>>>
>>> I understand the reason for having this when someone has been idle for
>>> a
>>> while, but I think when they hit log out and only log out, horde should
>>> log
>>> the user out regardless. Instead, it refreshes my session and I'm back
>>> to
>>> fully logged in and have to hit log out a second time. It can even
>>> improve
>>> security if a user hits log out, just assumes it will log them out and
>>> either leaves the pc right away or doesn't pay attention to what page
>>> loads
>>> next. I've done that from time to time. Any thoughts on this?
>>> --
>>> Horde mailing list
>>> Frequently Asked Questions: http://horde.org/faq/
>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>
>> This is to prevent logging a user out if they click on a malicious  
>> logout link someone may have crafted to your Horde server on a  
>> webpage/email etc... automatically logging the user out defeats the  
>> purpose of this feature.
>
> Indeed. A decent protection against such cross-site request forgery  
> (http://en.wikipedia.org/wiki/Cross-site_request_forgery) is the use  
> of a token - which we do here. But why does the token need to time  
> out?

I thought this was done in case the token was somehow compromised, to  
limit the length of time that a CSRF attempt could work. I remember  
two points that were discussed about this as it related to the logout  
link; on the one hand, this could be considered a type of 'mini' DOS  
since the CSRF could cause the user to be logged out, while on the  
other hand, it's only a minor annoyance and a bit confusing for the  
user to be logged out and the same CSRF would not work a second time.  
I guess seeing your recent commit, we've settled on the latter.

-- 
mike

The Horde Project (www.horde.org)
mrubinsk at horde.org

More information about the horde mailing list