[horde] Link only valid for 30 minutes behavior with log out

Gunnar Wrobel wrobel at horde.org
Fri Jun 24 04:06:32 UTC 2011 

Quoting Michael J Rubinsky <mrubinsk at horde.org>:

> Quoting Gunnar Wrobel <wrobel at horde.org>:
>
>> Quoting Michael J Rubinsky <mrubinsk at horde.org>:
>>
>>> Kareem Dana <kareem.dana at gmail.com> wrote:
>>>
>>>> If I'm logged into horde, but idle for a while then come back and hit
>>>> log
>>>> out. I get the following message:
>>>>
>>>> This request cannot be completed because the link you followed or the
>>>> form
>>>> you submitted was only valid for 30 minutes. Please try again now.
>>>>
>>>> I understand the reason for having this when someone has been idle for
>>>> a
>>>> while, but I think when they hit log out and only log out, horde should
>>>> log
>>>> the user out regardless. Instead, it refreshes my session and I'm back
>>>> to
>>>> fully logged in and have to hit log out a second time. It can even
>>>> improve
>>>> security if a user hits log out, just assumes it will log them out and
>>>> either leaves the pc right away or doesn't pay attention to what page
>>>> loads
>>>> next. I've done that from time to time. Any thoughts on this?
>>>> --
>>>> Horde mailing list
>>>> Frequently Asked Questions: http://horde.org/faq/
>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>
>>> This is to prevent logging a user out if they click on a malicious  
>>> logout link someone may have crafted to your Horde server on a  
>>> webpage/email etc... automatically logging the user out defeats  
>>> the purpose of this feature.
>>
>> Indeed. A decent protection against such cross-site request forgery  
>> (http://en.wikipedia.org/wiki/Cross-site_request_forgery) is the  
>> use of a token - which we do here. But why does the token need to  
>> time out?
>
> I thought this was done in case the token was somehow compromised,  
> to limit the length of time that a CSRF attempt could work.

If the token was somehow compromised the attacker most likely has way  
more access to your application than you would like. If he was able to  
read the token in the HTTP response he is most likely able to read the  
complete HTTP traffic. In which case he has your session anyway and a  
CSRF becomes pointless.

> I remember two points that were discussed about this as it related  
> to the logout link; on the one hand, this could be considered a type  
> of 'mini' DOS since the CSRF could cause the user to be logged out,

Yes, it is DOS indeed.

> while on the other hand, it's only a minor annoyance and a bit  
> confusing for the user to be logged out and the same CSRF would not  
> work a second time. I guess seeing your recent commit, we've settled  
> on the latter.

Maybe I misunderstand you but: No, I wouldn't say so. All I did with  
my commit was to remove the timeout with the reasoning above. That  
does by no means remove the protection against the cross site request  
forgery - as this is the token itself (with or without the timeout)!  
I'm just certain that the timeout brings no additional gain in  
security based on the reasoning above.

Cheers,

Gunnar

>
> -- 
> mike
>
> The Horde Project (www.horde.org)
> mrubinsk at horde.org
>
> -- 
> Horde mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: horde-unsubscribe at lists.horde.org

-- 
Core Developer
The Horde Project

e: wrobel at horde.org
t: +49 700 6245 0000
w: http://www.horde.org

pgp: 9703 43BE
tweets: http://twitter.com/pardus_de
blog: http://log.pardus.de

More information about the horde mailing list