[horde] Autologin into Horde
Jan Schneider
jan at horde.org
Tue Apr 16 10:42:06 UTC 2013
Zitat von Michael M Slusarz <slusarz at horde.org>:
> Quoting Jan Schneider <jan at horde.org>:
>
>> Zitat von Michael Wisniewski <wisniewski at mwiz.org>:
>>
>>> I understand there's security risks with automatic login with
>>> Horde, but how can this be accomplished? I've tried to set the
>>> session settings timeout to something large (8640000), set the
>>> path to my webserver path (/webmail/), but everytime I close my
>>> browser, it continues to prompt me to login. I also changed the
>>> maxlifetime of the cookies in my php.ini to 8640000.
>>>
>>> Is there something else I should be changing? Is there an easier
>>> way to accomplish this?
>>>
>>> Thanks!
>>
>> Looks like this was disabled with this commit:
>> https://github.com/horde/horde/commit/2bbd679136963508713b2868bfd6d3f6967773bb
>>
>> I think Michael only thought of the timeout to be a setting to
>> *limit* the cookie lifetime below the browser session duration, not
>> to *extend* it beyond that.
>
> This was (partially) intentional. The reasoning being that allowing
> someone to close their browser, reopen it, and still be able to
> access mail should never be the default action for privacy reasons.
>
> I now see that what Jan says is correct. But I'll be honest that
> this setting is very unclear. I'm not very happy with the
> documentation, because it needs to be stressed even more that
> setting this value to something other than 0 (without setting
> max_time) is a giant security hole since it is quite possible the
> session will NEVER be destroyed - depending on gc values. Not to
> mention that this value doesn't do anything for non-cookie based
> sessions.
>
> This can be reverted, but only if we can figure out a better way of
> stressing in the documentation that this is a Very Bad Idea. We
> could also fall back to use the PHP default, but I guess that limits
> us a bit if we are running on a server with other PHP applications.
>
> (I am thinking it might also be best to ship max_time with a
> non-zero value. I.e. By default limiting sessions to 12 hours or
> something like that).
That's an interesting idea. I would rather set to something like 20
hours, so that you can keep the session open as long as you are awake.
--
Jan Schneider
The Horde Project
http://www.horde.org/
More information about the horde
mailing list