[dev] Re: [cvs] commit: horde/services go.php

[Chuck Hagenbuch]

Quoting Jan Schneider <jan at horde.org>:

> That's already the case now, though a simple redirect is of course not as
> bandwidth/performance hogging as an fpassthru(). We could do a simple Auth
> check without loading the full registry. But in this case
> Horde::externalUrl() needs to check if the user is not authenticated to
> don't do the redirect for guests.

I don't think that's the answer.

>> Could go.php simply refresh to itself until the SID is out of the URL?
>
> The refresh is not the problem, we do it for non-cookie sessions only
> anyway.

Okay.

>> This isn't even an issue for cookie-based sessions, right?
>
> It is unfortunately, as long as the user is authenticated.

Okay, so looking at the code, we don't check cookies or not in
Horde::externalUrl() or in services.php. My understanding of the purpose of
go.php is to make sure that a session id isn't in the Referrer: on the remote
site. Which would only be there for url-based sessions, right?

So, what if, if go.php was called with a session id in the referrer, 
and we want
to show an image, then we cycle through go.php one more type to clean the
referrer, and then do a Location: header to the image instead of the 
Refresh: ?

I guess the problem would be following the Refresh: to go.php for the 
image, or
getting the referrer to clean up. Dunno.

-chuck

--
"Regard my poor demoralized mule!" - Juan Valdez