[horde] Horde session handling

[Claude Tompers]

On Mon, 03 Feb 2014 14:47:04 +0100
Ralf Lang <lang at b1-systems.de> wrote:

> On 03.02.2014 14:26, Claude Tompers wrote:
> > Hi,
> > 
> > I discovered a problems with horde's session handling.
> > If a user does not log out and just closes his browser, reopening
> > the browser does not kill the session completely.
> > 
> > Having a look at Horde's cookies, default_horde_view and webmail
> > cookie both have a lifetime of 12h and survive the browser
> > "restart" whereas horde_secret_key gets invalidated when the
> > browser closes.
> > 
> > The result is, that the browser logs in into Horde but can not
> > access any imap information (sending a blank password). It is
> > impossible to do any operation because you can not authenticate,
> > still this does not look nice to the user. Shouldn't all cookies
> > behave the same way ? Ideally getting invalidated when the browser
> > closes.
> > 
> > Is the cookie lifetime configurable and have I overseen this, or is
> > this fixed in the code ?
> > 
> > (tested on latest Horde and latest Firefox)
> 
> Please see the cookie lifetime settings in conf.php especially *
> $conf[session][timeout] and $conf[session][max_time]
> 
> They are in horde config General tab under session.
> 
> Would you suggest different defaults?
> 
> 

Hi Ralf,

Thanks for your help, that was exactly what I was looking for. I
desperately searched in the "Session handler" tab.
The defaults seem just fine, but I had different values. My fault,
sorry.

kind regards,
Claude

-- 
Claude Tompers
Ingénieur réseau et système
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche 6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.horde.org/archives/horde/attachments/20140203/c64c5a40/attachment.bin>