[imp] Session Keys in URL

Eric Rostetter eric.rostetter@physics.utexas.edu
Thu, 19 Sep 2002 11:18:01 -0500 

Quoting Nigel Cass <N.Cass@Hull.ac.uk>:

> I have my webmail set up such that http://webmail/ goes directly to
> /usr/local/apache/htdocs/horde/imp and I have cookie path set to '/'

Sounds like you may have missed some configuration steps to make it 
really work as http://webmail/ though...  Or do you want this as more
of just a redirect?

> At first entry to the system i.e accessing http://webmail/ a url is
> thrown up something along the lines of
> http://webmail/horde/imp/login.php?Horde=<sesskey>

I would expect it to go to either of
 
http://webmail/login.php?Horde=...
or
http://webamil/imp/login.php?Horde=...

instead.  Or don't you want it to do that?  But the main point is that
yes, there will be a session key on the url.

> Then when the user logs in the session key disappears from the URL
> normally (although not always it should be mentioned.) which I would
> kinda expect.

Yes, it should disappear as long as cookies are working for that user,
and you've set it up to use cookies.

Things that might break this are firewalls/proxies, user disabled cookies,
browsers that don't support cookies, etc.

Other things that might break it are cookies disabled on the server side
(e.g. in php session managment), or incorrect path setup for the Horde
applications (in web server config and/or registry.php).

> However when you go into for e.g turba - certain operations seem to
> bring back the session key in the URL etc.

Which operations would those be?  I don't see any re-apperance of the
session on my urls...

> What I am particularly worried about is people bookmarking URLS with
> session keys in them and then being able to use that bookmark
> weeks/months later and ending up using a session key that has by now
> been given to someone else and thus ending up with someone elses mail.

Very, very unlikely, but not impossible.

> I would be grateful if someone could explain what I can do to avoid
> this. (if possible) Or maybe let me know if I'm doing something a little
> dumb or I'm not understanding sessions properly ?

My guess is you have something wrong in your configuration.  But you 
don't give enough information to diagnose it.

Check your web server config aliases/paths.  Check your registry.php
entries for paths.  I think you have something off somewhere in there.
 
> How do other people get around these problems ??

I've never seen the problem.

> Nigel Cass

-- 
Eric Rostetter
The Department of Physics
The University of Texas at Austin

"Can you hear me now? ... Good!"
"Can you hear me now? ... Good!"