Am 22.04.2012 21:49, schrieb Reindl Harald:
Am 22.04.2012 21:38, schrieb Michael Heydekamp:
Didn't know that. But how can a different user on a different machine have the same session ID (if not by random)? Is there any way to a) get hold of the ID of any other user's session, and b) to take influence on his own session ID in a way that he would identify himself with the same ID?
what do you think how long it takes to write a cookie like this? the only interesting is "roundcube_sessauth=S1168d2474c3b543053461d00f9c8b1a1b1764905"
beeing in a open WLAN without ssl and anybody can fake it in seconds
Ok, typing it is not a big deal, but how can he get hold of the ID of any user in the same WLAN within seconds?
And: If he can do that, isn't faking the User-Agent even an easier deal?
Cookie: mailviewsplitterv=244; mailviewsplitter=262; composesplitterv=175; prefsviewsplitter=195; folderviewsplitter=300; addressviewsplitter=250; addressviewsplitterd=200; identviewsplitter=300; tl_webmail_sessid=vpxiRqxOLDa%2CM7gMP81eB2hPPc1; roundcube_sessauth=S1168d2474c3b543053461d00f9c8b1a1b1764905
This looks as if the pane sizes (= splitters) would indeed be saved in a simple cookie. That explains why they sometimes get lost here. Is there no way to save them permanently (machine-specific, of course)? Could be a database entry connected to the NIC, IMHO.