RE: [Phpgroupware-users] Cookie madness with Konqueror

[Chris Weiss]

I've done a lot of testing of cookies, mostly from a security standpoint, using 
IE,
Mozilla, IIS, and Apache+php4.  Cookies are nasty little beasts but a necessary 
evil
for a secure and fast web based app.

php4 sessions uses cookies.  there is nothing you can about it except not use 
php4
sessions.  I think php4 will not send you a cookie if you don't actually use the
sessions memory.  IIS's .asp sessions also uses cookies, but even if you don't 
put
anything in the session IIS will still drop you a cookie.

The problem is that when using session based cookies, the browser is supposed to
keep the cookie only in memory.  Mozilla and IE both do this AND also keep the
in-memory-cookie in a seperate memory space for each session, thus allowing you 
to
login with more than one account at one time.  This is the most secure way to 
use
cookies because they never get written to disk and other "browsing sessions" 
can't
hijack the cookie.

So if I correctly recall how this got started, the only fault here is in 
Konquorer's
handling of session based cookies.

Phil Glaser (address@hidden) wrote*:
>
>Hi Dan,
>
>> This is a good point. I dont think i tested non-cookie support when I
>> built the php4 sessions class. I think there is some flag I have to set
>> to tell it to NOT use cookies and I didnt take that into account
>
>There is no question that non-cookie support does not function at all: when
>configured for non-cookies, phpgw still sends cookies; and if I tell my
>browser to refuse cookies, I cannot log in.
>
>--Phil
>
>
>_______________________________________________
>Phpgroupware-users mailing list
>address@hidden
>http://mail.gnu.org/mailman/listinfo/phpgroupware-users
>