> > If > > you're in the web interface doing something, let say messing > > with your filters, the url can possibly be hacked. I copied > > the url and pasted it into a different browser (like IE as > > opposed to Netscape) and it let me in to the modify > > screen. I thought it was odd that it didnt prompt me to log in > > but just took the url. so I tried the same url on a > > different computer all together. It worked again. I dont know the > > caliber of your other clients, but anyone using this system > > on a public terminal can easily have their mailbox > > comprimised just by looking at the history.
If you choose against the cookie method of session identification, then yes, the url will contain a session key that will let anyone from anywhere into your web messaging session. With HTTP, there are only 2 methods of session management: EITHER pass a unique key from page to page, in the url or in hidden form fields, OR set a cookie in the browser and read it on each page load. IMail's web messaging will do either. BUT, that session key will expire after either 1) 12 minutes of inactivity (except with KillerWebMail, which has a config option to extend the session inactivity timeout), or 2) you logging out of webmail. Ron Hornbaker President/CTO . . . . . . . . . . . . http://humankindsystems.com . . . . . . . . . . . . w e c o d e. w e c a r e. . http://AnswerTrack.com - eCRM email tracking solution . http://KillerWebMail.com - the name says it all . http://hksi.net/products - EZSignUp, You'veGotIMail!, etc... . http://hksi.net/testimonials - 2,348 admins can't be wrong Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
