[horde] Horde session handling
Ralf Lang
lang at b1-systems.de
Mon Feb 3 13:47:04 UTC 2014
On 03.02.2014 14:26, Claude Tompers wrote:
> Hi,
>
> I discovered a problems with horde's session handling.
> If a user does not log out and just closes his browser, reopening the
> browser does not kill the session completely.
>
> Having a look at Horde's cookies, default_horde_view and webmail cookie
> both have a lifetime of 12h and survive the browser "restart" whereas
> horde_secret_key gets invalidated when the browser closes.
>
> The result is, that the browser logs in into Horde but can not access
> any imap information (sending a blank password). It is impossible to do
> any operation because you can not authenticate, still this does not
> look nice to the user. Shouldn't all cookies behave the same way ?
> Ideally getting invalidated when the browser closes.
>
> Is the cookie lifetime configurable and have I overseen this, or is
> this fixed in the code ?
>
> (tested on latest Horde and latest Firefox)
Please see the cookie lifetime settings in conf.php especially *
$conf[session][timeout] and $conf[session][max_time]
They are in horde config General tab under session.
Would you suggest different defaults?
--
Ralf Lang
Linux Consultant / Developer
Tel.: +49-170-6381563
Mail: lang at b1-systems.de
B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.horde.org/archives/horde/attachments/20140203/af922466/attachment.bin>
More information about the horde
mailing list