Fri, 10 Apr 2026 09:50:11 +0000 https://bugs.horde.org/ticket/6910 Horde still sends cookies when not using cookies for sessions Even if running with cookies off (i.e. passing session information through URLs), Horde still tries to set cookies on each page load. To reproduce: 1. Turn off cookies in PHP/conf.php 2. Set browser to "prompt when receiving cookies" 3. Login 4. every page load (at least in IMP) the server is trying to set imp_key and auth_key (the setcookie calls in Secret::) Horde seems to work fine if I deny the cookies so I think we just need to stop sending them. But I am not too familiar with Secret:: so one of the other devs should take a look at this. Fri, 13 Jun 2008 04:48:45 +0000 https://bugs.horde.org/ticket/6910#t46360 I'm not sure why this is an issue, let alone high priority? The point is that it should still work with cookies turned off and that seems to be the case. There are more places we set cookies unconditionally, actually anywhere where we set them through javascript instead of PHP. Regarding Secret, IIRC off my head we try to establish a shared secret for the browser session. A cookie with some random token is considered the most secure, if that fails we build a token from the browser connection (IP, user agent?). We could probably check the configuration if cookies are turned off completely, instead of trying to send the cookie and verifying whether we get it back. But I still don't see why this is an issue. Fri, 13 Jun 2008 08:12:39 +0000 https://bugs.horde.org/ticket/6910#t46375 I don't see a reason to go to extra effort not to send cookies when it works regardless. Fri, 13 Jun 2008 14:53:55 +0000 https://bugs.horde.org/ticket/6910#t46404 > We could probably check the > configuration if cookies are turned off completely, instead of trying > to send the cookie and verifying whether we get it back. But I still > don't see why this is an issue. You are right, probably not a high issue. But it *is* an issue because our documentation is incorrect. I turned off cookies and spent an hour trying to figure out what the hell was going on because Horde sends the exact same cookies no matter what the use_only_cookies setting is. Even worse, logins broke at least once - because Horde sets the cookie but then later does a check if 'use_only_cookies' is false to see if the cookie is set (in Horde::url()). If it is set, then no session ID information is passed through the URL. Can't remember exactly how i broke, but it wouldn't let me login until I cleared all cookies from the browser. Mon, 16 Jun 2008 07:38:23 +0000 https://bugs.horde.org/ticket/6910#t46545 Michael - what setting in Horde did you expect to turn cookies off? I don't think we have one - use_only_cookies is just that, a setting for whether or not to use ONLY cookies. Setting it to false will still use cookies. Wed, 02 Jul 2008 21:35:48 +0000 https://bugs.horde.org/ticket/6910#t47129 Changes have been made in CVS for this ticket: http://cvs.horde.org/diff.php/horde/config/conf.xml?r1=1.230&r2=1.231&ty=u Thu, 03 Jul 2008 05:26:17 +0000 https://bugs.horde.org/ticket/6910#t47148 Changes have been made in CVS for this ticket: http://cvs.horde.org/diff.php/horde/config/conf.xml?r1=1.74.2.69&r2=1.74.2.70&ty=u Thu, 03 Jul 2008 05:27:15 +0000 https://bugs.horde.org/ticket/6910#t47149 It looks like my understanding of the setting was wrong - I thought cookies vs. get params was either/or rather than cookies or both. Tweaked the documentation a bit to make this clearer. Thu, 03 Jul 2008 05:28:22 +0000 https://bugs.horde.org/ticket/6910#t47150