[Tickets #10680] Re: Authentication via IMP does fail for some passwords while using IMAP directly does work
bugs at horde.org
bugs at horde.org
Mon Feb 20 06:17:58 UTC 2012
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/10680
------------------------------------------------------------------------------
Ticket | 10680
Updated By | Michael Slusarz <slusarz at horde.org>
Summary | Authentication via IMP does fail for some passwords
| while using IMAP directly does work
Queue | Kronolith
Version | Git master
Type | Bug
State | Assigned
Priority | 1. Low
Milestone |
Patch |
Owners | Jan Schneider, Michael Slusarz
------------------------------------------------------------------------------
Michael Slusarz <slusarz at horde.org> (2012-02-19 23:17) wrote:
> I *think* this is what's happening (at least in my case):
> - The user is logging without cookies
> - Horde_Secret falls back to session_id()
> - During the login process, the password is stored encrypted with session_id
> - After logging in, the session id is generated to protect against
> session fixation
> - The new session_id is no longer the valid key for the encrypted
> password, so decrypting fails
I agree - this is what I figured out last week also.
Although I don't know if this is a limitation in Horde_Secret or an
issue in IMP. Because Horde_Secret doesn't clearly indicate in its
API that this can occur.
More information about the bugs
mailing list