[imp] Session Keys in URL

[Nigel Cass]

I have my webmail set up such that http://webmail/ goes directly to
/usr/local/apache/htdocs/horde/imp and I have cookie path set to '/'

At first entry to the system i.e accessing http://webmail/ a url is
thrown up something along the lines of
http://webmail/horde/imp/login.php?Horde=<sesskey>

Then when the user logs in the session key disappears from the URL
normally (although not always it should be mentioned.) which I would
kinda expect.

However when you go into for e.g turba - certain operations seem to
bring back the session key in the URL etc. 

What I am particularly worried about is people bookmarking URLS with
session keys in them and then being able to use that bookmark
weeks/months later and ending up using a session key that has by now
been given to someone else and thus ending up with someone elses mail.

I am using session cookies (valid for the lifetime of the browser) which
should offer some protection against people inheriting the sessions of
others. But since we launch on Monday I am now getting a little
paranoid.

I would be grateful if someone could explain what I can do to avoid
this. (if possible) Or maybe let me know if I'm doing something a little
dumb or I'm not understanding sessions properly ?

How do other people get around these problems ??

Nigel Cass
> 
> be sure to set the
> cookie_path in registry.php
> 
> if you have it set to 'cookie_path' => '/horde'
> then the session id will show up in your URL anytime you access any
pages
> other then in yourdomain.tld/horde (such as yourdomain.tld/imp)
> 
> if you set it to '/' --- like this:
> 'cookie_path' => '/'
> 
> the cookies will work correctly for your entire domain
> 
> Hope that helps,
>   - Ben
> 
> 
> At 04:29 AM 9/18/02, you wrote:
> >If anyone knows the answer to this question I would greatly
appreciate a
> >response.
> >
> >TIA
> >
> >Nigel Cass.
> >
> > >
> > > I think that option must only be in the very latest PHP - (not in
my
> > > php-4.2.3)
> > >
> > > Under what circumstances does IMP use session keys in the URL ? -
it
> > > seems that it depends exactly what URL I type as to whether I get
a
> > > cookie or a session id in the URL.