[horde] Horde ALWAYS perceiving the domain as example.com regardless of configuration
Andrew Morgan
morgan at orst.edu
Thu Oct 14 16:35:34 UTC 2010
On Thu, 14 Oct 2010, jblank at twu.net wrote:
> I could understand it saving many things in the session cookie[s]...
> however, server-side settings like 'where to send an email to' are not
> among them. It seems quite odd that this particular setting is stored or
> cached anywhere on the client end... Are you sure about that?
>
> This opens up the possibility that, if a user-side cookie can tell the
> server who to email, that by manipulating this token, Horde can be used
> as a spam gateway. (Of course, presumably the user would have to have an
> account on the Horde-running system to even get to an email form...
> right?)
The cookie stores a session-id, not any actual data. The session data is
stored in your session database (PHP's file-based sessions, MySQL,
MemCache, etc) and keyed by the session-id.
Andy
More information about the horde
mailing list