[horde] Autologin into Horde

[Simon Brereton]

On 16 Apr 2013 01:32, "Michael M Slusarz" <slusarz at horde.org> wrote:
>
> Quoting Michael M Slusarz <slusarz at horde.org>:
>
>> I now see that what Jan says is correct.  But I'll be honest that this
setting is very unclear.  I'm not very happy with the documentation,
because it needs to be stressed even more that setting this value to
something other than 0 (without setting max_time) is a giant security hole
since it is quite possible the session will NEVER be destroyed - depending
on gc values.  Not to mention that this value doesn't do anything for
non-cookie based sessions.
>
>
> To allow for maximum flexibility, re-add the ability to manually set the
lifetime for non-session lifetime cookies.  Give a sterner warning and thus
allow a user/admin to shoot themselves in their foot if they please.

For the safety/sanity of the rest of the internet, I urge against this.
There is a client work around just use a Browser that allows an extension
to pin certain cookies.

For example, I use Firefox and I only have to relogin if I cleanly exit
Firefox (thereby destroying the cookie). If I don't, it's saved and the
only way I have to re-login is if the IP changes (which should always
happen, regardless of which route you go here, IMHO).

Simon

> FWIW, the concept of a "Click here to save session for X days" is a
TERRIBLE idea when it comes to security, **especially** for accessing
something like an e-mail client, wherein the user may be storing saved
e-mails that contain passwords for accessing OTHER applications.  Maybe for
something like my cable provider it is ok to allow this (if someone breaks
into my account this way and pays my cable bill, more power to them), but
not for other applications.
>
>
> michael
>
> ___________________________________
> Michael Slusarz [slusarz at horde.org]
>
> --
> Horde mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: horde-unsubscribe at lists.horde.org