[imp] User-specified session ids in Imp 3.1

Viljo Viitanen vviitane+mail.imp at mappi.helsinki.fi
Thu Apr 17 20:13:49 PDT 2003


I vaguely remember has been discussed before, but I didn't (easily) find
anything in the archives, so here goes.

The problem is: an user bookmarks an url with a session id, like this: 

http://server/imp/login.php?Horde=efcd4930de859b70f5958cb37d065c45

And then, when this bookmark is moved to another machine (aren't my users
nice) and used there, it causes all the machines always to use the same
session id (with results you probably can guess). Even when the bookmark
stays on the same machine, it's very bad to let user always use the same
session id.

If sessions are cookie based, and imp_key cookie gets set, this not such a
huge problem as the other user does not get access to the first user's mail
but I don't know what really happens then - probably nasty things anyway.
Session id's should never collide.

My quick solution was never to let login.php login form add session id and I
did that by adding a fourth parameter to Horde::applicationUrl and
Horde::url to never append session id to url, no matter what and use that in
login.inc. In my quick tests, it seems to break nothing and solve nicely the
session-id-in-bookmark problem. (It doesn't help if the original user's
session never ends, but it's beyond my help then).

Any thoughts on this? Is this already addressed in RELENG or HEAD? Is a
different solution better?

-- 
Viljo Viitanen

(please use address Viljo.Viitanen at helsinki.fi for personal replies)


More information about the imp mailing list