[#8423] Security Audit
Summary Security Audit
Queue Horde Base
Queue Version Git master
Type Enhancement
State Assigned
Priority 2. Medium
Owners Horde Developers (at) , chuck (at) horde (dot) org
Requester chuck (at) horde (dot) org
Created 2009-07-10 (2280 days ago)
Updated 2011-03-31 (1651 days ago)
Milestone 5
Patch No

2011-03-31 23:38:46 Jan Schneider Summary ⇒ Security Audit
Version ⇒ Git master
Milestone ⇒ 5
2009-07-10 02:57:07 Chuck Hagenbuch Comment #1
State ⇒ Assigned
Patch ⇒ No
Milestone ⇒ 4
Assigned to Horde DevelopersHorde Developers
Assigned to Chuck Hagenbuch
Queue ⇒ Horde Base
Priority ⇒ 2. Medium
Type ⇒ Enhancement
Summary ⇒ H4 Security Audit
Reply to this comment
deprecate blatantly insecure auth schemes; make sure to use a salted 
auth scheme by default

need a hook or setting to limit # of unsuccessful login attempts to horde

need a hook or setting to limit easily guessable passwords

require re-authentication before changing passwords, or other 
sensitive operations

don't use the same secret key for multiple purposes

allow key rotation




make sure cookies are set with the secure flag when ssl is used

get rid of URL-based sessions entirely

limit the lifetime of even session-based cookies

authenticator cookie:


- push the username and some other basic info (browser string, ip, ... 
?) into the data parameter ("s"), to avoid having to init the session 
on most page loads

- store other session data by key in a backend, accessed on-demand and 
saved only when dirty? what about commonly used info like prefs? cache 
with username in the key in the cache backend instead?