Wed, 22 May 2013 11:46:49 +0000 http://bugs.horde.org/ticket/8423 Security Audit deprecate blatantly insecure auth schemes; make sure to use a salted auth scheme by default need a hook or setting to limit # of unsuccessful login attempts to horde need a hook or setting to limit easily guessable passwords require re-authentication before changing passwords, or other sensitive operations don't use the same secret key for multiple purposes allow key rotation reference: http://cookies.lcs.mit.edu/ http://pdos.csail.mit.edu/papers/webauth:sec10.pdf make sure cookies are set with the secure flag when ssl is used get rid of URL-based sessions entirely limit the lifetime of even session-based cookies authenticator cookie: exp=t&data=s&digest=MAC(xp=t&data=s) - push the username and some other basic info (browser string, ip, ... ?) into the data parameter ("s"), to avoid having to init the session on most page loads - store other session data by key in a backend, accessed on-demand and saved only when dirty? what about commonly used info like prefs? cache with username in the key in the cache backend instead? Fri, 10 Jul 2009 02:57:07 +0000 http://bugs.horde.org/ticket/8423#t54887