[Tickets #12043] Re: IE8: Sessions without cookies are broken
noreply at bugs.horde.org
noreply at bugs.horde.org
Tue Feb 19 13:38:06 UTC 2013
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/12043
------------------------------------------------------------------------------
Ticket | 12043
Updated By | Thomas Jarosch <thomas.jarosch at intra2net.com>
Summary | IE8: Sessions without cookies are broken
Queue | IMP
Version | Git master
Type | Bug
State | Feedback
Priority | 1. Low
Milestone |
Patch |
Owners |
------------------------------------------------------------------------------
Thomas Jarosch <thomas.jarosch at intra2net.com> (2013-02-19 13:38) wrote:
> Can't reproduce.
Ok, I found out what's going on after adding debug traces to Horde_Secret.
Remember Jan mentioning the invalid requests from broken CSS support in IE8?
The requests without the session id cause the secret key in
Horde_Secret::setKey() to be overwritten with the new session id. This
also updates the value in "$this->_keyCache".
Subsequent IMAP requests can't decrypt the password anymore and fail.
-> One "broken" requests kills the whole session.
Steps to reproduce:
- Sessions without cookies in horde
- Disable cookies in PHP
- Clear all horde cookies
- Mark a message
- Hover "Delete" button
-> new session id will be generated by invalid request
What I'm wondering about:
How does the value in "$this->_keyCache" survive between HTTP requests?
When the next request with the original session id arrives,
$this->_keyCache['horde_secret'] returns the new, invalid session id.
More information about the bugs
mailing list