[horde] Autologin into Horde
Michael M Slusarz
slusarz at horde.org
Mon Apr 15 23:31:46 UTC 2013
Quoting Michael M Slusarz <slusarz at horde.org>:
> I now see that what Jan says is correct. But I'll be honest that
> this setting is very unclear. I'm not very happy with the
> documentation, because it needs to be stressed even more that
> setting this value to something other than 0 (without setting
> max_time) is a giant security hole since it is quite possible the
> session will NEVER be destroyed - depending on gc values. Not to
> mention that this value doesn't do anything for non-cookie based
> sessions.
To allow for maximum flexibility, re-add the ability to manually set
the lifetime for non-session lifetime cookies. Give a sterner warning
and thus allow a user/admin to shoot themselves in their foot if they
please.
FWIW, the concept of a "Click here to save session for X days" is a
TERRIBLE idea when it comes to security, **especially** for accessing
something like an e-mail client, wherein the user may be storing saved
e-mails that contain passwords for accessing OTHER applications.
Maybe for something like my cable provider it is ok to allow this (if
someone breaks into my account this way and pays my cable bill, more
power to them), but not for other applications.
michael
___________________________________
Michael Slusarz [slusarz at horde.org]
More information about the horde
mailing list