[imp] Security Question

Andreas Ebinger ebinger@uni-hohenheim.de
Mon, 30 Oct 2000 10:22:42 +0100 (CET)


> Quoting Andreas Ebinger <ebinger@uni-hohenheim.de>:
> 
> > (my configuration: horde-imp
> 2.2.3,apache-1.3.12,mysql-3.22.32,php-4.0.3.p1,
> > lifetime=0)
> > 
> > If I login with cookies, then save the Url(bookmark), close netscape,
> start
> > netscape again ,turn the cookies off and go to the bookmark,
> > then I am logged in on my account.
> > (if I leave cookies on, I will be asked for the password/I have to log
> in
> > again)
> > And I think if you turn off cookies all the time, I will get the same
> > results.
> > When will the session be cancelled if you turn cookies off ?
> 
> Whenever it is garbage collected.
>

The default value is 1440 minutes,
(var $gc_time  = 1440;               // Purge all session data older than 14
40 minutes.)
is it a performance problem to use such a high value ?
 
> > If I want to keep the lifetime=0, can I do anything against that ?
> 
> You can make it more likely that sessions will be garbage collected.
> 
> > And if I change lifetime to a different value, do I have to turn
> cookies on
> > ?
> 
> I'm not actually sure if phplib's session code will check the lifetime
> in any
> way other than expecting cookies to expire.
> 
I changed the lifetime value and I still was able to log in without cookies.
The value of the lifetime is ignored for the session without cookies. 

I would like to ignore all log in tries without cookies, I think horde-imp
version 2.0.x did that, is there a way to do this in version 2.2.x ?

Somewhere I read that in horde-imp 2.3.x you changed the session
management and you are not using phplib anymore, what is different ?

And if I change the session management(in version 2.2.x) to Shared
memory,LDAP,DBM database
I will probably have the same problems ? As long as someone is able to get to
know the session ID, he/she will be able to use my  mailaccount from a different
computer with a different userid(if I am still logged in or the session is not
garbage collected).

In Germany a couple of freemailer had problems with that, and there were always
people who used the security holes to change things, and I think to get
to know the URL with the session ID is not such a big deal or ?

Should I just change to version 2.3.x ?

Andreas

Andreas Ebinger
Rechenzentrum Uni Hohenheim
ebinger@uni-hohenheim.de
Telefon: 0711/459-3948