[horde] Link only valid for 30 minutes behavior with log out

Gunnar Wrobel wrobel at horde.org
Fri Jun 24 09:41:26 UTC 2011 

Quoting Ralf Lang <lang at b1-systems.de>:

> Am Freitag, 24. Juni 2011, 06:06:32 schrieb Gunnar Wrobel:
>> Quoting Michael J Rubinsky <mrubinsk at horde.org>:
>> > Quoting Gunnar Wrobel <wrobel at horde.org>:
>>
>> > I remember two points that were discussed about this as it related
>> > to the logout link; on the one hand, this could be considered a type
>> > of 'mini' DOS since the CSRF could cause the user to be logged out,
>>
>> Yes, it is DOS indeed.
>>
>> > while on the other hand, it's only a minor annoyance and a bit
>> > confusing for the user to be logged out and the same CSRF would not
>> > work a second time. I guess seeing your recent commit, we've settled
>> > on the latter.
>>
>> Maybe I misunderstand you but: No, I wouldn't say so. All I did with
>> my commit was to remove the timeout with the reasoning above. That
>> does by no means remove the protection against the cross site request
>> forgery - as this is the token itself (with or without the timeout)!
>> I'm just certain that the timeout brings no additional gain in
>> security based on the reasoning above.
>
> Just for understanding: If a token has no timeout and is not used (client
> closes browser instead of logout) will it ever be cleaned from the backend?

It will not even be stored in the backend. This was a change between  
how tokens worked in Horde 3 and Horde 4. The newer tokens contain the  
security relevant hash but also a leading prefix: a timestamp. On  
validation the token gets split into the timestamp and the hash part.  
The hash part will be checked against your secret in the session. The  
timestamp can *optionally* be checked for a timeout. No need to store  
the token for that.

We only store tokens in the backend if they should be valid only  
*once*. In that case we need to remember that the token was used  
already by storing it in the backend. But I'm not certain we actually  
use this mechanism at the moment.

Cheers,

Gunnar

>
> --
> Ralf Lang
> Linux Consultant / Developer
>
> B1 Systems GmbH
> Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
> GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
> --
> Horde mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: horde-unsubscribe at lists.horde.org

-- 
Core Developer
The Horde Project

e: wrobel at horde.org
t: +49 700 6245 0000
w: http://www.horde.org

pgp: 9703 43BE
tweets: http://twitter.com/pardus_de
blog: http://log.pardus.de

More information about the horde mailing list