| Summary | Horde still sends cookies when not using cookies for sessions |
| Queue | Horde Base |
| Queue Version | HEAD |
| Type | Bug |
| State | Not A Bug |
| Priority | 1. Low |
| Owners | |
| Requester | slusarz (at) horde (dot) org |
| Created | 06/13/2008 (6204 days ago) |
| Due | |
| Updated | 07/03/2008 (6184 days ago) |
| Assigned | 06/13/2008 (6204 days ago) |
| Resolved | 07/03/2008 (6184 days ago) |
| Github Issue Link | |
| Github Pull Request | |
| Milestone | |
| Patch | No |
State ⇒ Not A Bug
cookies vs. get params was either/or rather than cookies or both.
Tweaked the documentation a bit to make this clearer.
http://cvs.horde.org/diff.php/horde/config/conf.xml?r1=1.74.2.69&r2=1.74.2.70&ty=u
http://cvs.horde.org/diff.php/horde/config/conf.xml?r1=1.230&r2=1.231&ty=u
Summary ⇒ Horde still sends cookies when not using cookies for sessions
don't think we have one - use_only_cookies is just that, a setting for
whether or not to use ONLY cookies. Setting it to false will still use
cookies.
configuration if cookies are turned off completely, instead of trying
to send the cookie and verifying whether we get it back. But I still
don't see why this is an issue.
because our documentation is incorrect. I turned off cookies and
spent an hour trying to figure out what the hell was going on because
Horde sends the exact same cookies no matter what the use_only_cookies
setting is.
Even worse, logins broke at least once - because Horde sets the cookie
but then later does a check if 'use_only_cookies' is false to see if
the cookie is set (in Horde::url()). If it is set, then no session ID
information is passed through the URL. Can't remember exactly how i
broke, but it wouldn't let me login until I cleared all cookies from
the browser.
Priority ⇒ 1. Low
works regardless.
is that it should still work with cookies turned off and that seems to
be the case. There are more places we set cookies unconditionally,
actually anywhere where we set them through javascript instead of PHP.
Regarding Secret, IIRC off my head we try to establish a shared secret
for the browser session. A cookie with some random token is considered
the most secure, if that fails we build a token from the browser
connection (IP, user agent?). We could probably check the
configuration if cookies are turned off completely, instead of trying
to send the cookie and verifying whether we get it back. But I still
don't see why this is an issue.
Priority ⇒ 3. High
State ⇒ Unconfirmed
Milestone ⇒
Queue ⇒ Horde Base
Summary ⇒ Horde requires cookies
Type ⇒ Bug
through URLs), Horde still tries to set cookies on each page load. To
reproduce:
1. Turn off cookies in PHP/conf.php
2. Set browser to "prompt when receiving cookies"
3. Login
4. every page load (at least in IMP) the server is trying to set
imp_key and auth_key (the setcookie calls in Secret::)
Horde seems to work fine if I deny the cookies so I think we just need
to stop sending them. But I am not too familiar with Secret:: so one
of the other devs should take a look at this.