[horde] Clarification of "User is not authorized for imp"
Michael M Slusarz
slusarz at horde.org
Tue Jul 30 15:06:52 UTC 2013
Quoting Kareem Dana <kareem.dana at gmail.com>:
> It is at the emergency level here and on my FreeBSD machine that also logs
> to the system console which is quite annoying but I can change that with
> syslog.
>
> I believe, at least on my site, this will generate a lot of false positives
> and it gives me no information that httpd-access.log doesn't give me
> already since the log is generated right when a user connects to
> "/horde/imp" before attempting to even login.
Here's the problem... a user will NEVER go to /horde/imp by themselves
if you don't tell them to. WHY would they go there? We don't point
anywhere there in the code. If a user is manually entering horde/imp,
that sounds like an issue to me.
There's a login page. That's what you should point your users to.
Yes, you can't help users from bookmarking pages, but that is much
less prevalent than you think.
There's the very simple solution of only activating the login page on
a user-facing URL and disabling all other pages via HTTP, and then
redirect on login to a domain that allows all access.
michael
___________________________________
Michael Slusarz [slusarz at horde.org]
More information about the horde
mailing list