48 lines
2.2 KiB
Plaintext
48 lines
2.2 KiB
Plaintext
MBOX-Line: From mrc at CAC.Washington.EDU Thu Nov 23 14:01:34 2006
|
|
To: imap-protocol@u.washington.edu
|
|
From: Mark Crispin <mrc@CAC.Washington.EDU>
|
|
Date: Fri Jun 8 12:34:38 2018
|
|
Subject: [Imap-protocol] RFC 3501 section 5.4 Autologout timer
|
|
In-Reply-To: <OFA9534B24.F7AFC6BC-ON8825722F.0072265E-8825722F.0073EC06@ca.ibm.com>
|
|
References: <OFA9534B24.F7AFC6BC-ON8825722F.0072265E-8825722F.0073EC06@ca.i
|
|
bm.com>
|
|
Message-ID: <alpine.OSX.0.7.0611231345060.17689@pangtzu.panda.com>
|
|
|
|
On Thu, 23 Nov 2006, Perry Ruiter wrote:
|
|
> The subject section of the RFC states that if a server has an inactivity
|
|
> autologout timer it can not be less than 30 minutes. I'd like to propose
|
|
> that the 30 minute rule only apply to client connections that have entered
|
|
> the authenticated state. Connections that have not authenticated could be
|
|
> subject to a much shorter timeout value, perhaps 1 minute or less.
|
|
|
|
Section 5.4 was never intended to apply to non-authenticated sessions.
|
|
|
|
I have made a note in the RFC 3501 errata to add "that applies to sessions
|
|
after authentication" before the comma.
|
|
ftp://ftp.cac.washington.edu/mail/imap.rfcs/rfc3501-errata
|
|
|
|
This explicitly makes the specification be silent on the question of
|
|
autologout prior to authentication, and not imply that the 30-minute rule
|
|
applies to non-authenticated sessions.
|
|
|
|
I believe that the specification should be silent on that point, as
|
|
otherwise it triggers security considerations. By being silent, it is
|
|
left up to implementation discretion, and possibly a future security rule
|
|
imposed by the IESG.
|
|
|
|
For what it's worth, UW imapd has a 3 minute pre-authentication autologout
|
|
timer. There are actually two pre-authentication autologout timers: the
|
|
normal inactivity autologout timer, and an non-authenticated session age
|
|
time which is enforced at command completion. The latter is cancelled by
|
|
a successful authentication; a session could be over-age but still within
|
|
the 3 minute inactivity grace, but it must authenticate at that point.
|
|
The upshot is that a non-authenticated session will die between 3 and 6
|
|
minutes from its startup.
|
|
|
|
-- Mark --
|
|
|
|
http://panda.com/mrc
|
|
Democracy is two wolves and a sheep deciding what to eat for lunch.
|
|
Liberty is a well-armed sheep contesting the vote.
|
|
|