[horde] Horde ALWAYS perceiving the domain as example.com regardless of configuration

Andrew Morgan morgan at orst.edu
Thu Oct 14 16:35:34 UTC 2010

On Thu, 14 Oct 2010, jblank at twu.net wrote:

> I could understand it saving many things in the session cookie[s]... 
> however, server-side settings like 'where to send an email to' are not 
> among them. It seems quite odd that this particular setting is stored or 
> cached anywhere on the client end... Are you sure about that?
> This opens up the possibility that, if a user-side cookie can tell the 
> server who to email, that by manipulating this token, Horde can be used 
> as a spam gateway. (Of course, presumably the user would have to have an 
> account on the Horde-running system to even get to an email form... 
> right?)

The cookie stores a session-id, not any actual data.  The session data is 
stored in your session database (PHP's file-based sessions, MySQL, 
MemCache, etc) and keyed by the session-id.


More information about the horde mailing list