Tickets :: [#13284] Horde_Secret: Only store key in cookies if cookies are in use

6.0.0-alpha10

5/14/25

Summary	Horde_Secret: Only store key in cookies if cookies are in use
Queue	Horde Framework Packages
Queue Version	Git master
Type	Bug
State	Assigned
Priority	1. Low
Owners	Horde Developers (at) , slusarz (at) horde (dot) org
Requester	thomas.jarosch (at) intra2net (dot) com
Created	06/23/2014 (3978 days ago)
Due
Updated	02/02/2016 (3389 days ago)
Assigned	07/04/2014 (3967 days ago)
Resolved
Milestone
Patch	Yes

02/02/2016 09:39:13 AM	Jan Schneider	Assigned to Horde Developers

07/04/2014 01:30:34 PM	Thomas Jarosch	Comment #6	Reply to this comment
Side note: Cookies are officially not supported for WebDAV sessions (yunosh) See also: http://comments.gmane.org/gmane.comp.php.sabredav/65 "2. Don't use sessions in WebDAV. They are not supported in most clients, and generally a terrible idea. HTTP is supposed to be stateless. Only when your client is a browser, a (session-)cookie is acceptable." and http://stackoverflow.com/questions/14499686/mac-os-x-does-not-send-cookies-to-webdav-resource We probably need to come up with a more clever storage mechanism. Funny the previous code worked at all for DAV. Wild guess: The webdav access generates a new "session id" on every page access since it does not transport the session id cookie. This breaks Horde_Secret because it can no longer decrypt the data of the previous page access.

07/04/2014 12:44:07 PM	Jan Schneider	State ⇒ Assigned

07/04/2014 12:15:10 PM	Git Commit	Comment #5	Reply to this comment
Changes have been made in Git (master): commit 512a25022a1fa00659372bada8997402a7da01b8 Author: Jan Schneider <jan@horde.org> Date: Fri Jul 4 14:14:08 2014 +0200 Revert "[mms] Only store keys in cookie if cookies are in use (Bug #13284; thomas.jarosch@intra2net.com)." This reverts commit 6c501804b267e1559cb16731aaaef9f976ec25fb. This completely broke authentication with any DAV access. Conflicts: framework/Secret/package.xml framework/Secret/lib/Horde/Secret.php \| 24 +++++++++++------------- 1 files changed, 11 insertions(+), 13 deletions(-) http://github.com/horde/horde/commit/512a25022a1fa00659372bada8997402a7da01b8

06/25/2014 07:28:01 AM	Thomas Jarosch	Comment #4	Reply to this comment
Horde_Secret 2.0.3. nice, you even eliminated the $set variable altogether :) clearKey() looks also much better than my implementation.

06/24/2014 10:12:42 PM	Michael Slusarz	Comment #3 Assigned to Michael Slusarz State ⇒ Resolved	Reply to this comment
Horde_Secret 2.0.3.

06/24/2014 10:12:05 PM	Git Commit	Comment #2	Reply to this comment
Changes have been made in Git (master): commit 6c501804b267e1559cb16731aaaef9f976ec25fb Author: Michael M Slusarz <slusarz@horde.org> Date: Tue Jun 24 16:06:29 2014 -0600 [mms] Only store keys in cookie if cookies are in use (Bug #13284; thomas.jarosch@intra2net.com). framework/Secret/lib/Horde/Secret.php \| 24 +++++++++++++----------- framework/Secret/package.xml \| 2 ++ 2 files changed, 15 insertions(+), 11 deletions(-) http://github.com/horde/horde/commit/6c501804b267e1559cb16731aaaef9f976ec25fb

06/23/2014 02:21:03 PM	Thomas Jarosch	Patch ⇒ Yes New Attachment: 0001-Horde_Secret-Only-store-key-in-cookie-if-cookies-are.patch

06/23/2014 02:19:05 PM	Thomas Jarosch	Comment #1 Priority ⇒ 1. Low State ⇒ Unconfirmed Patch ⇒ No Milestone ⇒ Queue ⇒ Horde Framework Packages Summary ⇒ Horde_Secret: Only store key in cookies if cookies are in use Type ⇒ Bug	Reply to this comment
Hi, Horde_Secret currently stores the generated key in a cookie even when cookies are not used for the session id. This happens in setKey() and getKey(). The problem is later on in clearKey(): That one removes the key cookie only if session cookies are in use, too. The attached patch fixes clearKey() and also avoids setting the cookie at all for non-cookie sessions. Cheers, Thomas