From 8cb600016ae7ff88004938386f69dec240d837c9 Mon Sep 17 00:00:00 2001 From: pdontthink Date: Sat, 25 Aug 2018 20:57:06 +0000 Subject: [PATCH] Add hidden configuration variables for anti-CSRF security token features git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@14771 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- config/config_local.example.php | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/config/config_local.example.php b/config/config_local.example.php index 22e2af73..0ac3d1b5 100644 --- a/config/config_local.example.php +++ b/config/config_local.example.php @@ -116,5 +116,24 @@ * the appropriate quote character for the database type * being used (backtick for MySQL (and thus MariaDB), * double quotes for all others). + * + * $use_expiring_security_tokens (boolean) allows you to + * make SquirrelMail use short-lived anti-CSRF security + * tokens that expire as desired (not recommended, can + * cause user-facing issues when tokens expire unexpectedly). + * + * $max_token_age_days (integer) allows you to indicate how + * long a token should be valid for (in days) (only relevant + * when $use_expiring_security_tokens is enabled). + * + * $do_not_use_single_token (boolean) allows you to force + * SquirrelMail to generate a new token every time one is + * requested (which may increase obscurity through token + * randomness at the cost of some performance). Otherwise, + * only one token will be generated per user which will + * change only after it expires or is used outside of the + * validity period specified when calling + * sm_validate_security_token() (only relevant when + * $use_expiring_security_tokens is enabled). + * */ - -- 2.25.1