[horde] Autologin into Horde
Michael M Slusarz
slusarz at horde.org
Mon Apr 15 22:20:46 UTC 2013
Quoting Jan Schneider <jan at horde.org>:
> Zitat von Michael Wisniewski <wisniewski at mwiz.org>:
>
>> I understand there's security risks with automatic login with
>> Horde, but how can this be accomplished? I've tried to set the
>> session settings timeout to something large (8640000), set the path
>> to my webserver path (/webmail/), but everytime I close my browser,
>> it continues to prompt me to login. I also changed the maxlifetime
>> of the cookies in my php.ini to 8640000.
>>
>> Is there something else I should be changing? Is there an easier
>> way to accomplish this?
>>
>> Thanks!
>
> Looks like this was disabled with this commit:
> https://github.com/horde/horde/commit/2bbd679136963508713b2868bfd6d3f6967773bb
>
> I think Michael only thought of the timeout to be a setting to
> *limit* the cookie lifetime below the browser session duration, not
> to *extend* it beyond that.
This was (partially) intentional. The reasoning being that allowing
someone to close their browser, reopen it, and still be able to access
mail should never be the default action for privacy reasons.
I now see that what Jan says is correct. But I'll be honest that this
setting is very unclear. I'm not very happy with the documentation,
because it needs to be stressed even more that setting this value to
something other than 0 (without setting max_time) is a giant security
hole since it is quite possible the session will NEVER be destroyed -
depending on gc values. Not to mention that this value doesn't do
anything for non-cookie based sessions.
This can be reverted, but only if we can figure out a better way of
stressing in the documentation that this is a Very Bad Idea. We could
also fall back to use the PHP default, but I guess that limits us a
bit if we are running on a server with other PHP applications.
(I am thinking it might also be best to ship max_time with a non-zero
value. I.e. By default limiting sessions to 12 hours or something
like that).
michael
___________________________________
Michael Slusarz [slusarz at horde.org]
More information about the horde
mailing list