[imp] Fwd: Chuck,
what am I doing wrong? Why won't anyone respond to this question?
John Schneider
john.schneider at daumcommercial.com
Tue Aug 10 14:44:08 PDT 2004
Thanks for responding. I certainly don't have a lab full of computers with
session Ids bookmarked. But, I do have about 200 users and perhaps some of
them have bookmarked the site at a time when a session ID was present in the
URL.
I checked with the users that experienced this problem. So far the user that
logged in a got a different user's mailbox replied back and DID have a
session ID in the URL...
http://webmail.domain.com/horde/imp/login.php?Horde=8e13e5f741680fcc8fbc062d
f9d2bcc4
The user whose mailbox was viewed did not yet reply. The user whose mailbox
was viewed WAS logged in just before or at about the time this happened and
was setting a vacation notice with SORK.
It appears that this would mean a user could potentially bookmark the site
at an inappropriate time and depending on other circumstances, possibly gain
unauthorized access to other mailboxes. Is this a correct assumption? If so,
is their a way to prevent this? (Perhaps javascript code to prevent
bookmarking when a session is present in the URL?)
Regards,
John Schneider
>> -----Original Message-----
>> From: Michael Yingbull [mailto:mbull at uoguelph.ca]
>> Sent: Tuesday, August 10, 2004 1:31 PM
>> To: john.schneider at daumcommercial.com; imp at lists.horde.org
>> Subject: [imp] Fwd: Chuck, what am I doing wrong? Why won't
>> anyone respond to this question?
>>
>>
>> John:
>>
>> The only time I've seen a user login and get another user's inbox is
>> when you have session ID showing in the URL, and that URL has been
>> bookmarked and imaged onto a lab full of computers.
>>
>> Any chance that's your situation?
>>
More information about the imp
mailing list