[dev] Re: [cvs] commit: horde/services go.php

Jan Schneider jan at horde.org
Mon Aug 23 08:51:59 PDT 2004 

Zitat von Chuck Hagenbuch <chuck at horde.org>:

> Quoting Jan Schneider <jan at horde.org>:
>
>> That's already the case now, though a simple redirect is of course not as
>> bandwidth/performance hogging as an fpassthru(). We could do a simple Auth
>> check without loading the full registry. But in this case
>> Horde::externalUrl() needs to check if the user is not authenticated to
>> don't do the redirect for guests.
>
> I don't think that's the answer.
>
>>> Could go.php simply refresh to itself until the SID is out of the URL?
>>
>> The refresh is not the problem, we do it for non-cookie sessions only
>> anyway.
>
> Okay.
>
>>> This isn't even an issue for cookie-based sessions, right?
>>
>> It is unfortunately, as long as the user is authenticated.
>
> Okay, so looking at the code, we don't check cookies or not in
> Horde::externalUrl() or in services.php. My understanding of the purpose of
> go.php is to make sure that a session id isn't in the Referrer: on the remote
> site. Which would only be there for url-based sessions, right?

Yes, but that's only one purpose (and the only one until now). The new,
second purpose is to avoid images or other html objects that get their data
from an url to get that data from a page inside, eventually triggering an
action in horde.
A possible third purpose would be to also strip the referrer for images
fetched from outside servers, this is probably what you are talking about.

> So, what if, if go.php was called with a session id in the referrer,
> and we want
> to show an image, then we cycle through go.php one more type to clean the
> referrer, and then do a Location: header to the image instead of the
> Refresh: ?

This wouldn't help, only for url sessions. With cookie sessions you stay
authenticated, allowing images to to call any action that require
authentication.

> I guess the problem would be following the Refresh: to go.php for the
> image, or
> getting the referrer to clean up. Dunno.

Jan.

--
Do you need professional PHP or Horde consulting?
http://horde.org/consulting.php

More information about the dev mailing list