[horde] Horde ALWAYS perceiving the domain as example.com regardless of configuration
jblank at twu.net
jblank at twu.net
Thu Oct 14 16:53:13 UTC 2010
On Thu, 14 Oct 2010, Andrew Morgan wrote:
> On Thu, 14 Oct 2010, jblank at twu.net wrote:
>
>> I could understand it saving many things in the session cookie[s]...
>> however, server-side settings like 'where to send an email to' are not
>> among them. It seems quite odd that this particular setting is stored or
>> cached anywhere on the client end... Are you sure about that?
>>
>> This opens up the possibility that, if a user-side cookie can tell the
>> server who to email, that by manipulating this token, Horde can be used as
>> a spam gateway. (Of course, presumably the user would have to have an
>> account on the Horde-running system to even get to an email form... right?)
>
> The cookie stores a session-id, not any actual data. The session data is
> stored in your session database (PHP's file-based sessions, MySQL, MemCache,
> etc) and keyed by the session-id.
>
> Andy
>
I see. Makes more sense that way. :) Thank you!
More information about the horde
mailing list