[imp] Access to other users mailboxes
Charlie Reitsma
reitsmac at denison.edu
Tue Apr 1 22:16:51 PST 2003
Would the strictest session.cookie_domain setting be the server name found in
the web server? I suppose in a load balancing situation you would choose the
name used by the load balancer to determine which group of servers gets this
traffic (imp.site.com gets directed to imp1.site.com or imp2.site.com so use
imp.site.com for the session.cookie_domain).
Quoting Eric Rostetter <eric.rostetter at physics.utexas.edu>:
> Quoting Myke Place <mp at xmission.com>:
>
> > We've got a serious problem that I could really use some help with.
> > Apparently, some users are logging into our IMP installation and getting
> > the mailboxes of other users.
> >
> > I see in the logs that IMP is contacting the IMAP server and logging in,
> > but on the Inbox screen, another users mail is displayed. We are using
> > phpa with the follwing versions:
>
> Either your sessions are getting reused, or your phpa is caching things
> wrong. See http://cvs.horde.org/co.php/horde/docs/SECURITY for some
> light reading, paying attention to the stuff about sessions and entropy
> and the like.
>
> --
> Eric Rostetter
> The Department of Physics
> The University of Texas at Austin
>
> Why get even? Get odd!
>
> --
> IMP mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: imp-unsubscribe at lists.horde.org
>
Charlie Reitsma
Systems Engineer
More information about the imp
mailing list