[horde] Autologin into Horde

Michael M Slusarz slusarz at horde.org
Mon Apr 15 23:31:46 UTC 2013


Quoting Michael M Slusarz <slusarz at horde.org>:

> I now see that what Jan says is correct.  But I'll be honest that  
> this setting is very unclear.  I'm not very happy with the  
> documentation, because it needs to be stressed even more that  
> setting this value to something other than 0 (without setting  
> max_time) is a giant security hole since it is quite possible the  
> session will NEVER be destroyed - depending on gc values.  Not to  
> mention that this value doesn't do anything for non-cookie based  
> sessions.

To allow for maximum flexibility, re-add the ability to manually set  
the lifetime for non-session lifetime cookies.  Give a sterner warning  
and thus allow a user/admin to shoot themselves in their foot if they  
please.

FWIW, the concept of a "Click here to save session for X days" is a  
TERRIBLE idea when it comes to security, **especially** for accessing  
something like an e-mail client, wherein the user may be storing saved  
e-mails that contain passwords for accessing OTHER applications.   
Maybe for something like my cable provider it is ok to allow this (if  
someone breaks into my account this way and pays my cable bill, more  
power to them), but not for other applications.

michael

___________________________________
Michael Slusarz [slusarz at horde.org]



More information about the horde mailing list