[horde] Autologin into Horde

Michael M Slusarz slusarz at horde.org
Tue Apr 16 20:19:20 UTC 2013


Quoting Jan Schneider <jan at horde.org>:

> Zitat von Michael M Slusarz <slusarz at horde.org>:
>
>> (I am thinking it might also be best to ship max_time with a  
>> non-zero value.  I.e. By default limiting sessions to 12 hours or  
>> something like that).
>
> That's an interesting idea. I would rather set to something like 20  
> hours, so that you can keep the session open as long as you are awake.

Makes sense.  This would cause sessions to timeout overnight, assuming  
that people login (to say their business computer) at the same time  
every day.

But we really do need to enforce this value by default.  The  
discussion here (and on some bug tickets) reiterates that people  
erroneously believe they can somehow enforce session "security" by  
setting a timeout value for the session.  This won't work.  The only  
way to ensure sessions will be destroyed is by enforcing a hard  
timelimit based on the login time.

I guess another possible option would be to regenerate the session ID  
after a certain period of time if the client appears to still be  
active.  This eliminates the security concern of someone recovering  
the session ID and being able to use it, while allowing us to forgo  
re-authentication.  However, I don't think the framework is in place  
for this to work in dynamic applications if not using COOKIES (there  
may be links present on the page containing the old session ID).  But  
maybe we ignore this use-case, since we already heavily disfavor  
non-cookie based sessions as it is?

michael

___________________________________
Michael Slusarz [slusarz at horde.org]



More information about the horde mailing list