[horde] Link only valid for 30 minutes behavior with log out
Ralf Lang
lang at b1-systems.de
Fri Jun 24 09:05:28 UTC 2011
Am Freitag, 24. Juni 2011, 06:06:32 schrieb Gunnar Wrobel:
> Quoting Michael J Rubinsky <mrubinsk at horde.org>:
> > Quoting Gunnar Wrobel <wrobel at horde.org>:
>
> > I remember two points that were discussed about this as it related
> > to the logout link; on the one hand, this could be considered a type
> > of 'mini' DOS since the CSRF could cause the user to be logged out,
>
> Yes, it is DOS indeed.
>
> > while on the other hand, it's only a minor annoyance and a bit
> > confusing for the user to be logged out and the same CSRF would not
> > work a second time. I guess seeing your recent commit, we've settled
> > on the latter.
>
> Maybe I misunderstand you but: No, I wouldn't say so. All I did with
> my commit was to remove the timeout with the reasoning above. That
> does by no means remove the protection against the cross site request
> forgery - as this is the token itself (with or without the timeout)!
> I'm just certain that the timeout brings no additional gain in
> security based on the reasoning above.
Just for understanding: If a token has no timeout and is not used (client
closes browser instead of logout) will it ever be cleaned from the backend?
--
Ralf Lang
Linux Consultant / Developer
B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
More information about the horde
mailing list