[horde] Autologin into Horde
Michael M Slusarz
slusarz at horde.org
Tue Apr 16 20:19:20 UTC 2013
Quoting Jan Schneider <jan at horde.org>:
> Zitat von Michael M Slusarz <slusarz at horde.org>:
>
>> (I am thinking it might also be best to ship max_time with a
>> non-zero value. I.e. By default limiting sessions to 12 hours or
>> something like that).
>
> That's an interesting idea. I would rather set to something like 20
> hours, so that you can keep the session open as long as you are awake.
Makes sense. This would cause sessions to timeout overnight, assuming
that people login (to say their business computer) at the same time
every day.
But we really do need to enforce this value by default. The
discussion here (and on some bug tickets) reiterates that people
erroneously believe they can somehow enforce session "security" by
setting a timeout value for the session. This won't work. The only
way to ensure sessions will be destroyed is by enforcing a hard
timelimit based on the login time.
I guess another possible option would be to regenerate the session ID
after a certain period of time if the client appears to still be
active. This eliminates the security concern of someone recovering
the session ID and being able to use it, while allowing us to forgo
re-authentication. However, I don't think the framework is in place
for this to work in dynamic applications if not using COOKIES (there
may be links present on the page containing the old session ID). But
maybe we ignore this use-case, since we already heavily disfavor
non-cookie based sessions as it is?
michael
___________________________________
Michael Slusarz [slusarz at horde.org]
More information about the horde
mailing list