[Tickets #10680] Re: Authentication via IMP does fail for some passwords while using IMAP directly does work
bugs at horde.org
bugs at horde.org
Fri Feb 17 17:34:14 UTC 2012
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/10680
------------------------------------------------------------------------------
Ticket | 10680
Updated By | Jan Schneider <jan at horde.org>
Summary | Authentication via IMP does fail for some passwords
| while using IMAP directly does work
Queue | Kronolith
Version | Git master
Type | Bug
State | Assigned
Priority | 1. Low
Milestone |
Patch |
Owners | Jan Schneider, Michael Slusarz
------------------------------------------------------------------------------
Jan Schneider <jan at horde.org> (2012-02-17 18:34) wrote:
I *think* this is what's happening (at least in my case):
- The user is logging without cookies
- Horde_Secret falls back to session_id()
- During the login process, the password is stored encrypted with session_id
- After logging in, the session id is generated to protect against
session fixation
- The new session_id is no longer the valid key for the encrypted
password, so decrypting fails
More information about the bugs
mailing list