6.0.0-beta1
10/25/25

Search Results: 82 of 248 [ <<First <Prev Next> Last>> ] [ Return to Search Results ]


[#13284] Horde_Secret: Only store key in cookies if cookies are in use
Summary Horde_Secret: Only store key in cookies if cookies are in use
Queue Horde Framework Packages
Queue Version Git master
Type Bug
State Assigned
Priority 1. Low
Owners Horde Developers (at) , slusarz (at) horde (dot) org
Requester thomas.jarosch (at) intra2net (dot) com
Created 06/23/2014 (4142 days ago)
Due
Updated 02/02/2016 (3553 days ago)
Assigned 07/04/2014 (4131 days ago)
Resolved
Github Issue Link
Github Pull Request
Milestone
Patch Yes

History
02/02/2016 09:39:13 AM Jan Schneider Assigned to Horde DevelopersHorde Developers
 
07/04/2014 01:30:34 PM Thomas Jarosch Comment #6 Reply to this comment
Side note: Cookies are officially not supported for WebDAV sessions (yunosh)

See also:
http://comments.gmane.org/gmane.comp.php.sabredav/65

"2. Don't use sessions in WebDAV. They are not supported in most 
clients, and generally a terrible idea. HTTP is supposed to be 
stateless. Only when your client is a browser, a (session-)cookie is 
acceptable."

and

http://stackoverflow.com/questions/14499686/mac-os-x-does-not-send-cookies-to-webdav-resource

We probably need to come up with a more clever storage mechanism.
Funny the previous code worked at all for DAV.

Wild guess: The webdav access generates a new "session id" on every 
page access since it does not transport the session id cookie. This 
breaks Horde_Secret because it can no longer decrypt the data of the 
previous page access.

07/04/2014 12:44:07 PM Jan Schneider State ⇒ Assigned
 
07/04/2014 12:15:10 PM Git Commit Comment #5 Reply to this comment
Changes have been made in Git (master):

commit 512a25022a1fa00659372bada8997402a7da01b8
Author: Jan Schneider <jan@horde.org>
Date:   Fri Jul 4 14:14:08 2014 +0200

     Revert "[mms] Only store keys in cookie if cookies are in use 
(Bug #13284; thomas.jarosch@intra2net.com)."

     This reverts commit 6c501804b267e1559cb16731aaaef9f976ec25fb.

     This completely broke authentication with any DAV access.

     Conflicts:
             framework/Secret/package.xml

  framework/Secret/lib/Horde/Secret.php |   24 +++++++++++-------------
  1 files changed, 11 insertions(+), 13 deletions(-)

http://github.com/horde/horde/commit/512a25022a1fa00659372bada8997402a7da01b8
06/25/2014 07:28:01 AM Thomas Jarosch Comment #4 Reply to this comment
Horde_Secret 2.0.3.
nice, you even eliminated the $set variable altogether :)
clearKey() looks also much better than my implementation.

06/24/2014 10:12:42 PM Michael Slusarz Comment #3
Assigned to Michael Slusarz
State ⇒ Resolved
Reply to this comment
Horde_Secret 2.0.3.
06/24/2014 10:12:05 PM Git Commit Comment #2 Reply to this comment
Changes have been made in Git (master):

commit 6c501804b267e1559cb16731aaaef9f976ec25fb
Author: Michael M Slusarz <slusarz@horde.org>
Date:   Tue Jun 24 16:06:29 2014 -0600

     [mms] Only store keys in cookie if cookies are in use (Bug 
#13284; thomas.jarosch@intra2net.com).

  framework/Secret/lib/Horde/Secret.php |   24 +++++++++++++-----------
  framework/Secret/package.xml          |    2 ++
  2 files changed, 15 insertions(+), 11 deletions(-)

http://github.com/horde/horde/commit/6c501804b267e1559cb16731aaaef9f976ec25fb
06/23/2014 02:21:03 PM Thomas Jarosch Patch ⇒ Yes
New Attachment: 0001-Horde_Secret-Only-store-key-in-cookie-if-cookies-are.patch Download
 
06/23/2014 02:19:05 PM Thomas Jarosch Comment #1
Priority ⇒ 1. Low
State ⇒ Unconfirmed
Patch ⇒ No
Milestone ⇒
Queue ⇒ Horde Framework Packages
Summary ⇒ Horde_Secret: Only store key in cookies if cookies are in use
Type ⇒ Bug
Reply to this comment
Hi,

Horde_Secret currently stores the generated key in a cookie even when 
cookies are not used for the session id. This happens in setKey() and 
getKey().

The problem is later on in clearKey(): That one removes the key cookie 
only if session cookies are in use, too.

The attached patch fixes clearKey() and also avoids setting the cookie 
at all for non-cookie sessions.

Cheers,
Thomas

Saved Queries