[imp] URL-based session ID question

[Daniel Eckl]

If you think the problem is the administrator of the webserver, then no. not 
even cookies.

The owner of the server could attach a sniffer like ethereal and could read 
out the session ID from the cookie which has to be transmitted back and 
forth.
After that he could fake a correct http session with this cookie. Not easily, 
but he could do that.

Cookie just prevents the next user of a computer to open a browser, go into 
the history and reuse a session, because the cookie gets invalid at browser 
close.

Best would be cookie _and_ IP auth, but you pointed out the problem of IP auth 
very clearly.

Greets,
Daniel

Am Dienstag, 9. Dezember 2003 20:42 schrieb Jeff Tucker:
> Hello,
>
> Some time ago I had switched my PHP install to require cookies for session
> registration. This was done to keep people from using recent URLs to get at
> other users' email. These URLs would occasionally appear in HTTP referer
> logs and the owner of the webserver could log into the original user's
> email account by just going to the URL.
>
> I thought I had remembered that Horde had done something so that the
> session ID changed with every page load, which made the URL invalid
> immediately as long as the user continued to read or reload their email.
> Doing a quick test without cookies didn't confirm that, though. It looked
> like the session ID was staying the same forever.
>
> I know that I can enable an IP check. However, I've got users complaining
> that they suddenly can't login and I'm wondering if it's because they're
> behind an array of proxy servers or something like that which would cause
> their IP to change without them realizing it. I could also see a dialup
> user who makes a quick phone call and then reconnects. They might expect
> that Imp would keep working, but IP checking would log them out.
>
> So, is there a safe way to allow people to refuse cookies but still be able
> to login to Horde without enabling the IP validation?
>
> Thanks
> Jeff