[imp] URL-based session ID question
Jeff Tucker
jeff at jltnet.com
Tue Dec 9 11:42:20 PST 2003
Hello,
Some time ago I had switched my PHP install to require cookies for session
registration. This was done to keep people from using recent URLs to get at
other users' email. These URLs would occasionally appear in HTTP referer
logs and the owner of the webserver could log into the original user's
email account by just going to the URL.
I thought I had remembered that Horde had done something so that the
session ID changed with every page load, which made the URL invalid
immediately as long as the user continued to read or reload their email.
Doing a quick test without cookies didn't confirm that, though. It looked
like the session ID was staying the same forever.
I know that I can enable an IP check. However, I've got users complaining
that they suddenly can't login and I'm wondering if it's because they're
behind an array of proxy servers or something like that which would cause
their IP to change without them realizing it. I could also see a dialup
user who makes a quick phone call and then reconnects. They might expect
that Imp would keep working, but IP checking would log them out.
So, is there a safe way to allow people to refuse cookies but still be able
to login to Horde without enabling the IP validation?
Thanks
Jeff
More information about the imp
mailing list