| Summary | horde_secret_key cookie does not use configured session timeout |
| Queue | Horde Framework Packages |
| Queue Version | FRAMEWORK_5_1 |
| Type | Enhancement |
| State | Rejected |
| Priority | 1. Low |
| Owners | |
| Requester | horde (at) stefanseidel (dot) info |
| Created | 8/18/14 (4326 days ago) |
| Due | |
| Updated | 8/18/14 (4326 days ago) |
| Assigned | |
| Resolved | 8/18/14 (4326 days ago) |
| Milestone | |
| Patch | Yes |
configurations, and not necessary either.
The horde session can be configured to survive a browser close, but it
will be partially unusable because e.g. the IMAP login information
cannot be recovered without the key. If that is intentional, it should
at least be documented.
session data (which is both more secure and stable). So we want the
cookie to be non-expiring within the browser session.
State ⇒ Rejected
configurations, and not necessary either.
Priority ⇒ 1. Low
New Attachment: hs.patch
Patch ⇒ Yes
Milestone ⇒
Queue ⇒ Horde Framework Packages
Summary ⇒ horde_secret_key cookie does not use configured session timeout
Type ⇒ Enhancement
State ⇒ New
http://lists.horde.org/archives/horde/Week-of-Mon-20140203/050583.html
it seems it is not intentional:
in pear/php/Horde/Secret.php, a cookie is set, and the lifetime of the
cookie is set to 0, which means it is removed when the browser is
closed. This can be seen as a security feature, however, it is not
consistent with the rest of the horde session, because its cookie
timeout is set according to $conf['session']['timeout']. Attached is a
small workaround that honours this configuration setting, and with
this the horde session expires at the same time as the horde_secret.