[horde] Horde session handling

Claude Tompers claude.tompers at restena.lu
Mon Feb 3 13:26:44 UTC 2014


Hi,

I discovered a problems with horde's session handling.
If a user does not log out and just closes his browser, reopening the
browser does not kill the session completely.

Having a look at Horde's cookies, default_horde_view and webmail cookie
both have a lifetime of 12h and survive the browser "restart" whereas
horde_secret_key gets invalidated when the browser closes.

The result is, that the browser logs in into Horde but can not access
any imap information (sending a blank password). It is impossible to do
any operation because you can not authenticate, still this does not
look nice to the user. Shouldn't all cookies behave the same way ?
Ideally getting invalidated when the browser closes.

Is the cookie lifetime configurable and have I overseen this, or is
this fixed in the code ?

(tested on latest Horde and latest Firefox)

kind regards,
Claude

-- 
Claude Tompers
Ingénieur réseau et système
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche 6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.horde.org/archives/horde/attachments/20140203/297069bf/attachment.bin>


More information about the horde mailing list