Question for the future of lightning and its cookie management

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Question for the future of lightning and its cookie management

John Bieling
Hi,

we are currently investigating the cookie management of lightning/thunderbird when two or more connections from the same endpoint to the same server but with different user authentications are used. Is owncloud actually generating individual "sessions" for each user or will all users be on the same session (which does not work of course)?

We currently only have one cookie store per server/origin and are evaluating if it is worth to change that. If owncloud is not generating individual sessions, this would be useless of course.

At the moment, the only way to have two or more
connections to the same server but with different user authentications is by rejecting cookies.
Is there any drawback from rejecting cookies besides more overhead on the servers auth module? Are there any security issues?


Thanks for your help,
John

_______________________________________________
Devel mailing list
[hidden email]
http://mailman.owncloud.org/mailman/listinfo/devel
Reply | Threaded
Open this post in threaded view
|

Re: Question for the future of lightning and its cookie management

Thomas Müller
Hi,

generally speaking: yes we do create a session and send back the cookie to the client and you can reuse it on follow up requests.
In case you are not sending back the cookie to the owncloud server and only use basic auth in each request a new session will be created for each request.

I assume you are talking about CalDAV and CardDAV endpoints - right?

Generally speaking the use of session in WebDAV is not advised/allowed as per specs/convention - we added cookie support for performance reasons
with our own clients. We are reevaluating this as and might drop sessions/cookies fully in the future.

Regards,

Tom

PS: Please consider https://central.owncloud.org next time when you have questions. THX

September 11, 2018 12:19 AM, "John Bieling" <[hidden email]> wrote:
Hi,

we are currently investigating the cookie management of lightning/thunderbird when two or more connections from the same endpoint to the same server but with different user authentications are used. Is owncloud actually generating individual "sessions" for each user or will all users be on the same session (which does not work of course)?

We currently only have one cookie store per server/origin and are evaluating if it is worth to change that. If owncloud is not generating individual sessions, this would be useless of course.

At the moment, the only way to have two or more
connections to the same server but with different user authentications is by rejecting cookies.
Is there any drawback from rejecting cookies besides more overhead on the servers auth module? Are there any security issues? Thanks for your help, John





_______________________________________________
Devel mailing list
[hidden email]
http://mailman.owncloud.org/mailman/listinfo/devel