[imp] URL-based session ID question

Daniel Eckl daniel.eckl at gmx.de
Wed Dec 10 00:30:31 PST 2003


No. There is a "derefering" function in horde which removes the session ID
before forwarding to the real destination. So even without cookies there's no
problem with that.

Daniel

Zitat von Jeff Tucker <jeff at jltnet.com>:

> --On Tuesday, December 09, 2003 9:54 PM +0100 Daniel Eckl
> <daniel.eckl at gmx.de> wrote:
>
> > If you think the problem is the administrator of the webserver, then no.
> > not  even cookies.
> >
>
> Well, to be clear, I'm not talking about the administrator of the webserver
> that runs Imp. I'm talking about a situation where a user sees a link in
> their Imp email. When they click on that link, their referer will be the
> URL of the original email and that referer may end up in the external web
> server's logs. If someone with access to those logs can go to that link and
> get into the user's email, that's a problem.
>
> I thought I had remembered that there was a way around this problem besides
> the IP checking. I may not be correct, though.
>
> Jeff
>
>
> --
> IMP mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: imp-unsubscribe at lists.horde.org
>
>
>



More information about the imp mailing list