[horde] Autologin into Horde

Jan Schneider jan at horde.org
Tue Apr 16 10:42:06 UTC 2013


Zitat von Michael M Slusarz <slusarz at horde.org>:

> Quoting Jan Schneider <jan at horde.org>:
>
>> Zitat von Michael Wisniewski <wisniewski at mwiz.org>:
>>
>>> I understand there's security risks with automatic login with  
>>> Horde, but how can this be accomplished?  I've tried to set the  
>>> session settings timeout to something large (8640000), set the  
>>> path to my webserver path (/webmail/), but everytime I close my  
>>> browser, it continues to prompt me to login.  I also changed the  
>>> maxlifetime of the cookies in my php.ini to 8640000.
>>>
>>> Is there something else I should be changing?  Is there an easier  
>>> way to accomplish this?
>>>
>>> Thanks!
>>
>> Looks like this was disabled with this commit:  
>> https://github.com/horde/horde/commit/2bbd679136963508713b2868bfd6d3f6967773bb
>>
>> I think Michael only thought of the timeout to be a setting to  
>> *limit* the cookie lifetime below the browser session duration, not  
>> to *extend* it beyond that.
>
> This was (partially) intentional.  The reasoning being that allowing  
> someone to close their browser, reopen it, and still be able to  
> access mail should never be the default action for privacy reasons.
>
> I now see that what Jan says is correct.  But I'll be honest that  
> this setting is very unclear.  I'm not very happy with the  
> documentation, because it needs to be stressed even more that  
> setting this value to something other than 0 (without setting  
> max_time) is a giant security hole since it is quite possible the  
> session will NEVER be destroyed - depending on gc values.  Not to  
> mention that this value doesn't do anything for non-cookie based  
> sessions.
>
> This can be reverted, but only if we can figure out a better way of  
> stressing in the documentation that this is a Very Bad Idea.  We  
> could also fall back to use the PHP default, but I guess that limits  
> us a bit if we are running on a server with other PHP applications.
>
> (I am thinking it might also be best to ship max_time with a  
> non-zero value.  I.e. By default limiting sessions to 12 hours or  
> something like that).

That's an interesting idea. I would rather set to something like 20  
hours, so that you can keep the session open as long as you are awake.
-- 
Jan Schneider
The Horde Project
http://www.horde.org/



More information about the horde mailing list