6.0.0-beta1
7/10/25

[#12043] IE8: Sessions without cookies are broken
Summary IE8: Sessions without cookies are broken
Queue Horde Framework Packages
Queue Version Git master
Type Bug
State Resolved
Priority 2. Medium
Owners Horde Developers (at) , slusarz (at) horde (dot) org
Requester thomas.jarosch (at) intra2net (dot) com
Created 02/14/2013 (4529 days ago)
Due
Updated 02/24/2013 (4519 days ago)
Assigned 02/20/2013 (4523 days ago)
Resolved 02/24/2013 (4519 days ago)
Github Issue Link
Github Pull Request
Milestone
Patch No

History
02/24/2013 06:01:31 AM Michael Slusarz Comment #10
State ⇒ Resolved
Reply to this comment
btw: It's a bit surprising that the Horde_Secret::getKey() function 
updates the cookie information in case the value is unknown. IMHO 
it's better if a getXXX() function works without side-effects.
This is the way it always has worked.  And it makes sense to me: this 
is the only way of guaranteeing that the key returned from getXXX() 
function will be the same key returned on the next page access (if a 
session is currently active).
02/20/2013 01:10:03 PM Thomas Jarosch Comment #9 Reply to this comment
Your latest change fixed the issue for IE8. Thanks!


btw: It's a bit surprising that the Horde_Secret::getKey() function 
updates the cookie information in case the value is unknown. IMHO it's 
better if a getXXX() function works without side-effects.

02/20/2013 07:41:19 AM Git Commit Comment #8 Reply to this comment
Changes have been made in Git (master):

commit 9da6c272b7ec9b23f87aae0ace04052166c86cc4
Author: Michael M Slusarz <slusarz@horde.org>
Date:   Wed Feb 20 00:40:14 2013 -0700

     IE8 doesn't support multiple background url definitions (Bug #12043)

  horde/themes/default/ie8.css |   24 ++++++++++++++++++++++++
  1 files changed, 24 insertions(+), 0 deletions(-)

http://git.horde.org/horde-git/-/commit/9da6c272b7ec9b23f87aae0ace04052166c86cc4
02/20/2013 05:52:13 AM Michael Slusarz Comment #7
State ⇒ Feedback
Assigned to Michael Slusarz
Reply to this comment
Does this help?

Turns out that our CSS parsing was only able to replace one url() 
within a CSS rule.  Maybe this was what was confusing IE8 - having a 
relative URL and a data URL in the same rule.  Now it will either be 
both data URLs or both relative URLs.

At a minimum, the new CSS parsing should be more robust and possibly faster.
02/20/2013 05:50:15 AM Git Commit Comment #6 Reply to this comment
Changes have been made in Git (master):

commit b31b393c5d7952e4c7391cc41c0b91b24a593fa6
Author: Michael M Slusarz <slusarz@horde.org>
Date:   Tue Feb 19 22:45:08 2013 -0700

     [mms] Use csstidy library to parse CSS files when creating static 
CSS (Bug #12043).

     Should be more efficient, since we don't have to search for url
     parameters three different times.

     Also, should be more robust (fixes support for multiple urls in a single
     CSS style).

     Side effect: $conf['cachecssparams']['compress'] is no longer needed -
     since we are already necessarily parsing the CSS, there's no reason not
     to compress when saving.  Will remove the option in Horde 5.1 for
     clarity.

  framework/Core/lib/Horde/Themes/Css.php |   98 
++++++++++++++++++-------------
  framework/Core/package.xml              |    2 +
  2 files changed, 58 insertions(+), 42 deletions(-)

http://git.horde.org/horde-git/-/commit/b31b393c5d7952e4c7391cc41c0b91b24a593fa6
02/20/2013 01:44:25 AM Michael Slusarz Assigned to Horde DevelopersHorde Developers
 
02/20/2013 01:44:03 AM Michael Slusarz Comment #5
Queue ⇒ Horde Framework Packages
Priority ⇒ 2. Medium
State ⇒ Assigned
Version ⇒ Git master
Reply to this comment
This is a problem with CSS theming/images, not IMP.
02/19/2013 01:38:05 PM Thomas Jarosch Comment #4 Reply to this comment
Can't reproduce.
Ok, I found out what's going on after adding debug traces to Horde_Secret.

Remember Jan mentioning the invalid requests from broken CSS support in IE8?

The requests without the session id cause the secret key in 
Horde_Secret::setKey() to be overwritten with the new session id. This 
also updates the value in "$this->_keyCache".

Subsequent IMAP requests can't decrypt the password anymore and fail.

-> One "broken" requests kills the whole session.

Steps to reproduce:
- Sessions without cookies in horde
- Disable cookies in PHP
- Clear all horde cookies
- Mark a message
- Hover "Delete" button
   -> new session id will be generated by invalid request


What I'm wondering about:
How does the value in "$this->_keyCache" survive between HTTP requests?

When the next request with the original session id arrives,
$this->_keyCache['horde_secret'] returns the new, invalid session id.

02/18/2013 02:16:44 AM Michael Slusarz Comment #3
State ⇒ Feedback
Reply to this comment
Can't reproduce.
02/17/2013 05:21:59 AM Michael Slusarz Comment #2
Priority ⇒ 1. Low
Reply to this comment
Re-lowering priority - non-cookie sessions are expressly not 
recommended by our docs since they are a security risk.
02/14/2013 02:32:14 PM Thomas Jarosch Priority ⇒ 2. Medium
 
02/14/2013 02:29:29 PM Thomas Jarosch Comment #1
Priority ⇒ 1. Low
Type ⇒ Bug
Summary ⇒ IE8: Sessions without cookies are broken
Queue ⇒ IMP
Milestone ⇒
Patch ⇒ No
State ⇒ Unconfirmed
Reply to this comment
Hi,

when using sessions without cookies and IE8,
I can't even delete a message. The log is full with IMAP server 
authentication errors.

Might be related to #11570.

Thomas

Saved Queries