Summary | IE8: Sessions without cookies are broken |
Queue | Horde Framework Packages |
Queue Version | Git master |
Type | Bug |
State | Resolved |
Priority | 2. Medium |
Owners | Horde Developers (at) , slusarz (at) horde (dot) org |
Requester | thomas.jarosch (at) intra2net (dot) com |
Created | 02/14/2013 (4529 days ago) |
Due | |
Updated | 02/24/2013 (4519 days ago) |
Assigned | 02/20/2013 (4523 days ago) |
Resolved | 02/24/2013 (4519 days ago) |
Github Issue Link | |
Github Pull Request | |
Milestone | |
Patch | No |
State ⇒ Resolved
updates the cookie information in case the value is unknown. IMHO
it's better if a getXXX() function works without side-effects.
is the only way of guaranteeing that the key returned from getXXX()
function will be the same key returned on the next page access (if a
session is currently active).
btw: It's a bit surprising that the Horde_Secret::getKey() function
updates the cookie information in case the value is unknown. IMHO it's
better if a getXXX() function works without side-effects.
commit 9da6c272b7ec9b23f87aae0ace04052166c86cc4
Author: Michael M Slusarz <slusarz@horde.org>
Date: Wed Feb 20 00:40:14 2013 -0700
IE8 doesn't support multiple background url definitions (
Bug #12043)horde/themes/default/ie8.css | 24 ++++++++++++++++++++++++
1 files changed, 24 insertions(+), 0 deletions(-)
http://git.horde.org/horde-git/-/commit/9da6c272b7ec9b23f87aae0ace04052166c86cc4
State ⇒ Feedback
Assigned to Michael Slusarz
Turns out that our CSS parsing was only able to replace one url()
within a CSS rule. Maybe this was what was confusing IE8 - having a
relative URL and a data URL in the same rule. Now it will either be
both data URLs or both relative URLs.
At a minimum, the new CSS parsing should be more robust and possibly faster.
commit b31b393c5d7952e4c7391cc41c0b91b24a593fa6
Author: Michael M Slusarz <slusarz@horde.org>
Date: Tue Feb 19 22:45:08 2013 -0700
[mms] Use csstidy library to parse CSS files when creating static
CSS (
Bug #12043).Should be more efficient, since we don't have to search for url
parameters three different times.
Also, should be more robust (fixes support for multiple urls in a single
CSS style).
Side effect: $conf['cachecssparams']['compress'] is no longer needed -
since we are already necessarily parsing the CSS, there's no reason not
to compress when saving. Will remove the option in Horde 5.1 for
clarity.
framework/Core/lib/Horde/Themes/Css.php | 98
++++++++++++++++++-------------
framework/Core/package.xml | 2 +
2 files changed, 58 insertions(+), 42 deletions(-)
http://git.horde.org/horde-git/-/commit/b31b393c5d7952e4c7391cc41c0b91b24a593fa6
Queue ⇒ Horde Framework Packages
Priority ⇒ 2. Medium
State ⇒ Assigned
Version ⇒ Git master
Remember Jan mentioning the invalid requests from broken CSS support in IE8?
The requests without the session id cause the secret key in
Horde_Secret::setKey() to be overwritten with the new session id. This
also updates the value in "$this->_keyCache".
Subsequent IMAP requests can't decrypt the password anymore and fail.
-> One "broken" requests kills the whole session.
Steps to reproduce:
- Sessions without cookies in horde
- Disable cookies in PHP
- Clear all horde cookies
- Mark a message
- Hover "Delete" button
-> new session id will be generated by invalid request
What I'm wondering about:
How does the value in "$this->_keyCache" survive between HTTP requests?
When the next request with the original session id arrives,
$this->_keyCache['horde_secret'] returns the new, invalid session id.
State ⇒ Feedback
Priority ⇒ 1. Low
recommended by our docs since they are a security risk.
Priority ⇒ 1. Low
Type ⇒ Bug
Summary ⇒ IE8: Sessions without cookies are broken
Queue ⇒ IMP
Milestone ⇒
Patch ⇒ No
State ⇒ Unconfirmed
when using sessions without cookies and IE8,
I can't even delete a message. The log is full with IMAP server
authentication errors.
Might be related to
#11570.Thomas