6.0.0-alpha10
▾
Tasks
New Task
Search
Photos
Wiki
▾
Tickets
New Ticket
Search
dev.horde.org
Toggle Alerts Log
Help
5/15/25
H
istory
A
ttachments
C
omment
W
atch
Download
Comment on [#8423] Security Audit
*
Your Email Address
*
Spam protection
Enter the letters below:
. __ .__..__ . . |/ `[__][ __|\/| \__|\__.| |[_./| |
Comment
> deprecate blatantly insecure auth schemes; make sure to use a salted > auth scheme by default > > > > need a hook or setting to limit # of unsuccessful login attempts to horde > > > > need a hook or setting to limit easily guessable passwords > > > > require re-authentication before changing passwords, or other > sensitive operations > > > > don't use the same secret key for multiple purposes > > allow key rotation > > > > reference: > > http://cookies.lcs.mit.edu/ > > http://pdos.csail.mit.edu/papers/webauth:sec10.pdf > > > > make sure cookies are set with the secure flag when ssl is used > > > > get rid of URL-based sessions entirely > > > > limit the lifetime of even session-based cookies > > > > authenticator cookie: > > exp=t&data=s&digest=MAC(xp=t&data=s) > > - push the username and some other basic info (browser string, ip, > ... ?) into the data parameter ("s"), to avoid having to init the > session on most page loads > > > > - store other session data by key in a backend, accessed on-demand > and saved only when dirty? what about commonly used info like prefs? > cache with username in the key in the cache backend instead?
Attachment
Watch this ticket
N
ew Ticket
M
y Tickets
S
earch
Q
uery Builder
R
eports
Saved Queries
Open Bugs
Bugs waiting for Feedback
Open Bugs in Releases
Open Enhancements
Enhancements waiting for Feedback
Bugs with Patches
Enhancements with Patches
Release Showstoppers
Stalled Tickets
New Tickets
Horde 5 Showstoppers