[horde] Horde ALWAYS perceiving the domain as example.com regardless of configuration

jblank at twu.net jblank at twu.net
Thu Oct 14 16:53:13 UTC 2010

On Thu, 14 Oct 2010, Andrew Morgan wrote:

> On Thu, 14 Oct 2010, jblank at twu.net wrote:
>> I could understand it saving many things in the session cookie[s]... 
>> however, server-side settings like 'where to send an email to' are not 
>> among them. It seems quite odd that this particular setting is stored or 
>> cached anywhere on the client end... Are you sure about that?
>> This opens up the possibility that, if a user-side cookie can tell the 
>> server who to email, that by manipulating this token, Horde can be used as 
>> a spam gateway. (Of course, presumably the user would have to have an 
>> account on the Horde-running system to even get to an email form... right?)
> The cookie stores a session-id, not any actual data.  The session data is 
> stored in your session database (PHP's file-based sessions, MySQL, MemCache, 
> etc) and keyed by the session-id.
> 	Andy

I see. Makes more sense that way. :) Thank you!

More information about the horde mailing list