[imp] Security - user A got into userB's email

Eric Rostetter eric.rostetter at physics.utexas.edu
Wed Oct 29 08:26:32 PST 2003


Quoting Kim Hoffman <khoffman at uwo.ca>:

> Cookies are OK for those who own their own systems.  However, we think
> cookies would be unsecure for users who 'share' systems.

Cookies will always be more secure than url get strings.  Cookies do stay
on the hard drive, but at least they expire.  URL strings stay on the hard
drive in more places, are passed via the referer tag (fixed in newer Horde
versions), can be viewed by the person setting next to you, can be bookmarked,
can be e-mailed, etc.  They are much less secure.

> What did you set your 'session.entropy_length = xx' ?

32.  Be sure to set a good session.entropy_file setting also.

> Would this make any difference?

Yes.

> By setting 'session.entropy_length = xx' to a very high number, would this
> impact performance?

Yes.  You shouldn't need to set it too high.  32 should work.  64 would be
about max.  Anything higher is probably not helping, and will impact performance
some.  Maybe not much, but some.

>From the horde/docs/SECURITY (CVS HEAD):

For the most security, you should enable PHP session cookies by enabling
the php setting session.use_cookies.  When doing so, be sure to set an
appropriate session.cookie_path and session.cookie_domain also to secure
your cookies.

If PHP sessions are set to use the "files" save_handler, then these files
should be secured properly.  Sites can increase security by setting the
php setting session.save_path to a directory that is only readable and
writable by the web server process.

Sites with a large user base should consider setting the session.entropy_file
and session.entropy_length to appropriate values.

Horde will encrypt the user credentials before storing them in the session.
However, this encryption can be improved if you have and enable the php
extension "mcrypt" which allows for stronger encryption than is otherwise
provided by Horde.

--
Eric Rostetter
The Department of Physics
The University of Texas at Austin

Why get even? Get odd!


More information about the imp mailing list