[imp] URL-based session ID question
Jeff Tucker
jeff at jltnet.com
Tue Dec 9 18:31:27 PST 2003
--On Tuesday, December 09, 2003 9:54 PM +0100 Daniel Eckl
<daniel.eckl at gmx.de> wrote:
> If you think the problem is the administrator of the webserver, then no.
> not even cookies.
>
Well, to be clear, I'm not talking about the administrator of the webserver
that runs Imp. I'm talking about a situation where a user sees a link in
their Imp email. When they click on that link, their referer will be the
URL of the original email and that referer may end up in the external web
server's logs. If someone with access to those logs can go to that link and
get into the user's email, that's a problem.
I thought I had remembered that there was a way around this problem besides
the IP checking. I may not be correct, though.
Jeff
More information about the imp
mailing list