[horde] Autologin into Horde

Michael M Slusarz slusarz at horde.org
Mon Apr 15 22:20:46 UTC 2013


Quoting Jan Schneider <jan at horde.org>:

> Zitat von Michael Wisniewski <wisniewski at mwiz.org>:
>
>> I understand there's security risks with automatic login with  
>> Horde, but how can this be accomplished?  I've tried to set the  
>> session settings timeout to something large (8640000), set the path  
>> to my webserver path (/webmail/), but everytime I close my browser,  
>> it continues to prompt me to login.  I also changed the maxlifetime  
>> of the cookies in my php.ini to 8640000.
>>
>> Is there something else I should be changing?  Is there an easier  
>> way to accomplish this?
>>
>> Thanks!
>
> Looks like this was disabled with this commit:  
> https://github.com/horde/horde/commit/2bbd679136963508713b2868bfd6d3f6967773bb
>
> I think Michael only thought of the timeout to be a setting to  
> *limit* the cookie lifetime below the browser session duration, not  
> to *extend* it beyond that.

This was (partially) intentional.  The reasoning being that allowing  
someone to close their browser, reopen it, and still be able to access  
mail should never be the default action for privacy reasons.

I now see that what Jan says is correct.  But I'll be honest that this  
setting is very unclear.  I'm not very happy with the documentation,  
because it needs to be stressed even more that setting this value to  
something other than 0 (without setting max_time) is a giant security  
hole since it is quite possible the session will NEVER be destroyed -  
depending on gc values.  Not to mention that this value doesn't do  
anything for non-cookie based sessions.

This can be reverted, but only if we can figure out a better way of  
stressing in the documentation that this is a Very Bad Idea.  We could  
also fall back to use the PHP default, but I guess that limits us a  
bit if we are running on a server with other PHP applications.

(I am thinking it might also be best to ship max_time with a non-zero  
value.  I.e. By default limiting sessions to 12 hours or something  
like that).

michael

___________________________________
Michael Slusarz [slusarz at horde.org]



More information about the horde mailing list