meli
/
wasm-demo
4
Fork 0
Code Issues Pull Requests Releases Wiki Activity
wasm-demo/demo/ermis-f/imap-protocol/cur/1600095121.22960.mbox:2,S

48 lines
2.2 KiB
Plaintext
Raw Blame History

MBOX-Line: From mrc at CAC.Washington.EDU Thu Nov 23 14:01:34 2006
To: imap-protocol@u.washington.edu
From: Mark Crispin <mrc@CAC.Washington.EDU>
Date: Fri Jun 8 12:34:38 2018
Subject: [Imap-protocol] RFC 3501 section 5.4 Autologout timer
In-Reply-To: <OFA9534B24.F7AFC6BC-ON8825722F.0072265E-8825722F.0073EC06@ca.ibm.com>
References: <OFA9534B24.F7AFC6BC-ON8825722F.0072265E-8825722F.0073EC06@ca.i
bm.com>
Message-ID: <alpine.OSX.0.7.0611231345060.17689@pangtzu.panda.com>
On Thu, 23 Nov 2006, Perry Ruiter wrote:
> The subject section of the RFC states that if a server has an inactivity
> autologout timer it can not be less than 30 minutes. I'd like to propose
> that the 30 minute rule only apply to client connections that have entered
> the authenticated state. Connections that have not authenticated could be
> subject to a much shorter timeout value, perhaps 1 minute or less.
Section 5.4 was never intended to apply to non-authenticated sessions.
I have made a note in the RFC 3501 errata to add "that applies to sessions
after authentication" before the comma.
ftp://ftp.cac.washington.edu/mail/imap.rfcs/rfc3501-errata
This explicitly makes the specification be silent on the question of
autologout prior to authentication, and not imply that the 30-minute rule
applies to non-authenticated sessions.
I believe that the specification should be silent on that point, as
otherwise it triggers security considerations. By being silent, it is
left up to implementation discretion, and possibly a future security rule
imposed by the IESG.
For what it's worth, UW imapd has a 3 minute pre-authentication autologout
timer. There are actually two pre-authentication autologout timers: the
normal inactivity autologout timer, and an non-authenticated session age
time which is enforced at command completion. The latter is cancelled by
a successful authentication; a session could be over-age but still within
the 3 minute inactivity grace, but it must authenticate at that point.
The upshot is that a non-authenticated session will die between 3 and 6
minutes from its startup.
-- Mark --
http://panda.com/mrc
Democracy is two wolves and a sheep deciding what to eat for lunch.
Liberty is a well-armed sheep contesting the vote.
Reference in New Issue View Git Blame Copy Permalink