[prev in list] [next in list] [prev in thread] [next in thread]
List: horde
Subject: [horde] WG: Re: forcing logouts?
From: Jan Schneider <jan () horde ! org>
Date: 2007-02-26 23:10:48
Message-ID: 20070227001048.0crkl66ki88g04co () neo ! wg ! de
[Download RAW message or body]
This message is in MIME format.
----- Weitergeleitete Nachricht von kevin.konowalec@ualberta.ca -----
Datum: Mon, 26 Feb 2007 15:55:00 -0700
Von: Kevin Konowalec <kevin.konowalec@ualberta.ca>
Betreff: Re: [horde] forcing logouts?
An: Jan Schneider <jan@horde.org>
On Feb 26, 2007, at 3:05 PM, Jan Schneider wrote:
> Zitat von Kevin Konowalec <webadmin@ualberta.ca>:
>
>> So I was hoping it would be possible to prevent users from
>> navigating away from horde (in the window the user logged into
>> horde in) or shutting down the browser without logging out. Has
>> anyone looked into doing something similar? I'm sure I could go
>> through and add a chunk of javascript to every page as a footer
>> that would accomplish this but if there's a better/more elegant
>> solution I'd love to know about it.
>
> If they are shutting down the browser, the browser session is lost
> which is almost as safe as loggin out. At least if cookies are
> turned on, but you have forced to use cookies, don't you?
> If this is not sufficient, you can configure the cookies to time out
> after a while, instead of when closing the browser. But that doesn't
> help is someone is accessing the same computer directly after the
> first user left.
>
> Jan.
Shutting down the browser would be sufficient in terms of security,
yes. However, navigating away from horde and forgetting you did so
wouldn't allow you the same luxury unless you did shut down the
browser when you're finished... which is what I'm hoping most do in
public labs.
Ultimately the concern is not only security but also a question of
system monitoring and statistics. The powers that be are demanding
usage stats from all services and I'm having a hard time giving
concrete numbers. Since there is no statistics module in horde that
can tell me how many people are concurrently using the system, nor
incremental usage over time, I'm having to derive it from the horde
logs. But the horde logs seem to say that there are nearly double the
number of users logging in than logging out in a given day.
I'm still analyzing my logs to figure out what exactly it's telling me
but is it possible that horde is recording a login multiple times in a
session? If not then I've either made a mistake in analysis OR there
are a lot of people not logging out properly:
Feb15
Total number of logins: 76682
Total number of logouts: 37114
Total number of DISTINCT logins: 25918
Total number of DISTINCT logins without logouts: 13942
Total number of DISTINCT proper login/logouts: 11938
Total number of failed login attempts: 5713
Average number of logins per user: 2.96080929765628
Average number of logouts per user: 2.65024453394707
Number of users with more logins than logouts: 15940
It's interesting to see things like this:
Feb 26 12:41:50 src@webcluster6 HORDE[32093]: [imp] Login success for
xxxx@ualberta.ca [aa.aa.aa.aa] to {142.244.12.147:143} [on line 152 of
"/var/www/horde/imp/redirect.php"]
Feb 26 12:47:40 src@webcluster6 HORDE[4324]: [imp] Login success for
xxxx@ualberta.ca [aa.aa.aa.aa] to {142.244.12.147:143} [on line 152 of
"/var/www/horde/imp/redirect.php"]
Feb 26 12:48:13 src@webcluster6 HORDE[3314]: [imp] Logout for
xxxx@ualberta.ca [aa.aa.aa.aa] from {142.244.12.147:143} [on line 42
of "/var/www/horde/imp/login.php"]
Why would you see two sequential logins like that without any activity
in between?
----- Ende der weitergeleiteten Nachricht -----
Jan.
--
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/
["Weitergeleitete Nachricht: Re: [horde] forcing logouts?" (message/rfc822)]
Return-Path: <kevin.konowalec@ualberta.ca>
Received: from neo.wg.de ([unix socket]) by neo (Cyrus v2.2.13) with LMTPA;
Tue, 27 Feb 2007 00:03:50 +0100
X-Sieve: CMU Sieve 2.2
Received: from localhost (localhost [127.0.0.1])
by neo.wg.de (Postfix) with ESMTP id B5AEE2BBE7D
for <jan@wg.de>; Tue, 27 Feb 2007 00:03:50 +0100 (CET)
Received: from neo.wg.de ([127.0.0.1])
by localhost (neo.wg.de [127.0.0.1]) (amavisd-new,
port 10024) with ESMTP
id 05951-03 for <jan@wg.de>; Tue, 27 Feb 2007 00:03:43 +0100 (CET)
Received: from neo.wg.de (localhost [127.0.0.1])
by neo.wg.de (Postfix) with ESMTP id F1A2D2BBE82
for <jan@wg.de>; Tue, 27 Feb 2007 00:03:36 +0100 (CET)
X-Flags: 1001
Delivered-To: GMX delivery to schneiderj@gmx.de
Received: from pop.gmx.net [213.165.64.22]
by neo.wg.de with POP3 (fetchmail-6.3.2 polling pop.gmx.net account
551326)
for <jan@wg.de> (single-drop); Tue, 27 Feb 2007 00:03:36 +0100 (CET)
Received: (qmail invoked by alias); 26 Feb 2007 22:55:31 -0000
Received: from mail.ammma.de (EHLO ammma.de) [213.83.39.131]
by mx0.gmx.net (mx101) with SMTP; 26 Feb 2007 23:55:31 +0100
Received: from smtp.easydns.com (smtp.easydns.com [205.210.42.52])
by ammma.de (8.11.6/8.11.6/AMMMa AG) with ESMTP id l1QMsRb21445
for <jan@ammma.de>; Mon, 26 Feb 2007 23:54:27 +0100
X-Greylist: Passed host: 129.128.5.19
Received: from pilsener.srv.ualberta.ca (smtp.srv.ualberta.ca [129.128.5.19])
by smtp.easydns.com (Postfix) with ESMTP id 5DB6F4CA86
for <jan@horde.org>; Mon, 26 Feb 2007 17:55:11 -0500 (EST)
Received: from [129.128.11.16] (misellus.ucs.ualberta.ca [129.128.11.16])
(authenticated bits=0)
by pilsener.srv.ualberta.ca (8.13.7/8.13.7) with ESMTP id
l1QMt1lR006910
(version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT)
for <jan@horde.org>; Mon, 26 Feb 2007 15:55:05 -0700 (MST)
In-Reply-To: <20070226230553.b9pws8o2oks8000g@neo.wg.de>
References: <4413AC64-4A06-4C34-9543-831DBECCA9DC@ualberta.ca>
<20070226230553.b9pws8o2oks8000g@neo.wg.de>
Mime-Version: 1.0 (Apple Message framework v752.2)
X-Priority: 3 (Normal)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <3DF35A61-3334-4B5B-B3E0-C0840969BD85@ualberta.ca>
Content-Transfer-Encoding: 7bit
From: Kevin Konowalec <kevin.konowalec@ualberta.ca>
Subject: Re: [horde] forcing logouts?
Date: Mon, 26 Feb 2007 15:55:00 -0700
To: Jan Schneider <jan@horde.org>
X-Mailer: Apple Mail (2.752.2)
X-Virus-Scanned: by AMaViS-perl11-milter (http://amavis.org/)
X-GMX-Antivirus: -1 (not scanned, may not use virus scanner)
X-GMX-Antispam: -2 (not scanned, spam filter disabled)
X-GMX-UID: AgyWdpZlODBppfQIe2RMadM1Ji9SWtIq
X-Virus-Scanned: amavisd-new at wg.de
X-Spam-Status: No, score=-2.59 required=5 tests=[AWL=0.009, BAYES_00=-2.599]
X-Spam-Score: -2.59
X-Spam-Level:
On Feb 26, 2007, at 3:05 PM, Jan Schneider wrote:
> Zitat von Kevin Konowalec <webadmin@ualberta.ca>:
>
>> So I was hoping it would be possible to prevent users from
>> navigating away from horde (in the window the user logged into
>> horde in) or shutting down the browser without logging out. Has
>> anyone looked into doing something similar? I'm sure I could go
>> through and add a chunk of javascript to every page as a footer
>> that would accomplish this but if there's a better/more elegant
>> solution I'd love to know about it.
>
> If they are shutting down the browser, the browser session is lost
> which is almost as safe as loggin out. At least if cookies are
> turned on, but you have forced to use cookies, don't you?
> If this is not sufficient, you can configure the cookies to time
> out after a while, instead of when closing the browser. But that
> doesn't help is someone is accessing the same computer directly
> after the first user left.
>
> Jan.
Shutting down the browser would be sufficient in terms of security,
yes. However, navigating away from horde and forgetting you did so
wouldn't allow you the same luxury unless you did shut down the
browser when you're finished... which is what I'm hoping most do in
public labs.
Ultimately the concern is not only security but also a question of
system monitoring and statistics. The powers that be are demanding
usage stats from all services and I'm having a hard time giving
concrete numbers. Since there is no statistics module in horde that
can tell me how many people are concurrently using the system, nor
incremental usage over time, I'm having to derive it from the horde
logs. But the horde logs seem to say that there are nearly double
the number of users logging in than logging out in a given day.
I'm still analyzing my logs to figure out what exactly it's telling
me but is it possible that horde is recording a login multiple times
in a session? If not then I've either made a mistake in analysis OR
there are a lot of people not logging out properly:
Feb15
Total number of logins: 76682
Total number of logouts: 37114
Total number of DISTINCT logins: 25918
Total number of DISTINCT logins without logouts: 13942
Total number of DISTINCT proper login/logouts: 11938
Total number of failed login attempts: 5713
Average number of logins per user: 2.96080929765628
Average number of logouts per user: 2.65024453394707
Number of users with more logins than logouts: 15940
It's interesting to see things like this:
Feb 26 12:41:50 src@webcluster6 HORDE[32093]: [imp] Login success for
xxxx@ualberta.ca [aa.aa.aa.aa] to {142.244.12.147:143} [on line 152
of "/var/www/horde/imp/redirect.php"]
Feb 26 12:47:40 src@webcluster6 HORDE[4324]: [imp] Login success for
xxxx@ualberta.ca [aa.aa.aa.aa] to {142.244.12.147:143} [on line 152
of "/var/www/horde/imp/redirect.php"]
Feb 26 12:48:13 src@webcluster6 HORDE[3314]: [imp] Logout for
xxxx@ualberta.ca [aa.aa.aa.aa] from {142.244.12.147:143} [on line 42
of "/var/www/horde/imp/login.php"]
Why would you see two sequential logins like that without any
activity in between?
--
Horde mailing list - Join the hunt: http://horde.org/bounties/#horde
Frequently Asked Questions: http://horde.org/faq/
To unsubscribe, mail: horde-unsubscribe@lists.horde.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic