[horde] Autologin into Horde

Jan Schneider jan at horde.org
Wed Apr 17 13:15:09 UTC 2013 

Zitat von Michael M Slusarz <slusarz at horde.org>:

> Quoting Michael M Slusarz <slusarz at horde.org>:
>
>> I guess another possible option would be to regenerate the session  
>> ID after a certain period of time if the client appears to still be  
>> active.  This eliminates the security concern of someone recovering  
>> the session ID and being able to use it, while allowing us to forgo  
>> re-authentication.  However, I don't think the framework is in  
>> place for this to work in dynamic applications if not using COOKIES  
>> (there may be links present on the page containing the old session  
>> ID).  But maybe we ignore this use-case, since we already heavily  
>> disfavor non-cookie based sessions as it is?
>
> Played around with this idea this afternoon and it seems to work  
> well.  At a minimum, it provides some protection against session  
> fixation attacks by periodically changing the session identifier in  
> active sessions (the regeneration value is either half the maximum  
> session GC time, or 1 day if no GC is active).
>
> Cookie based sessions see this value automatically updated in the  
> cookie.  Non-cookie based dynamic sessions now send the SID on every  
> request in order to catch SID changes.
>
> The 1 DoS issue I can think of is if multiple dynamic requests are  
> received at the same time - if the SID changes in the first request  
> one of the subsequent cached requests will try to access a  
> non-existent session and will cause a logout.  Although...
>
> 1) This should be very rare.
> 2) I'm actually not sure if this will even occur.  Since these  
> requests are waiting for R/W access on the session data, the old  
> session data may not be deleted until these queued requests are  
> completed (likewise, I'm not sure if this will point to the new  
> session data or the old session data).  The documentation doesn't  
> discuss this in any detail.
> 3) Although even if PHP behaves in #2, there is still the edge case  
> of changing the SID and the request returning the SID to the  
> browser, and in between the time session is closed and the new SID  
> is recieved the browser fires off a request with the old SID.  Not  
> sure if this edge case is worth dealing with.
>
> An option to fix is to create a periodic request from the browser to  
> explicitly change the SID that locks out all other requests until it  
> is completed.  It could be scheduled to run at a certain time period  
> before server-side regeneration would occur to ensure that it always  
> occurs under controlled conditions.
>
> michael
>
> ___________________________________
> Michael Slusarz [slusarz at horde.org]

I'm getting kicked out of the session like every two hours now. I have  
the max_time still set to 0.
-- 
Jan Schneider
The Horde Project
http://www.horde.org/

More information about the horde mailing list