[#8423] Security Audit
Summary Security Audit
Queue Horde Base
Queue Version Git master
Type Enhancement
State Assigned
Priority 2. Medium
Owners Horde Developers, chuck@horde.org
Requester chuck@horde.org
Created 2009-07-10 (4125 days ago)
Updated 2011-03-31 (3496 days ago)
Milestone 5
Patch No

Chuck Hagenbuch <chuck@horde.org> 2009-07-10 02:57:07
deprecate blatantly insecure auth schemes; make sure to use a salted 
auth scheme by default

need a hook or setting to limit # of unsuccessful login attempts to horde

need a hook or setting to limit easily guessable passwords

require re-authentication before changing passwords, or other 
sensitive operations

don't use the same secret key for multiple purposes

allow key rotation




make sure cookies are set with the secure flag when ssl is used

get rid of URL-based sessions entirely

limit the lifetime of even session-based cookies

authenticator cookie:


- push the username and some other basic info (browser string, ip, ... 
?) into the data parameter ("s"), to avoid having to init the session 
on most page loads

- store other session data by key in a backend, accessed on-demand and 
saved only when dirty? what about commonly used info like prefs? cache 
with username in the key in the cache backend instead?