[OGo-Users] ogo session information handling

[Helge Hess]

On 29.02.2008, at 14:43, Sebastian Reitenbach wrote:
> I am wondering, how ogo keeps track of active sessions, does it save  
> the
> session id's like PHP on the filesystem somewhere?

Technically this is a pluggable mechanism (WOSessionStore), but for  
practical reasons everything is kept in RAM.

> How are the differences between accessing ogo with and without cookies
> enabled in the browser?

Don't know. You can put the SOPE session id into a cookie which allows  
you to open links from a native mail client w/o relogin. But using  
cookies for authentication tokens is vulnerable to XSS attacks, so its  
better to turn that off and keep the sids in the URL.

I have some plans to introduce 'authentication tokens', but this may  
not be what you want.

> E.g. when I have two instances running on the same host, and cookies
> enabled, will it be possible to jump from one instance to another?

No. And I fail to see how cookies are related to this.

> I mean, the Apache just listens on two different ports, I login to one
> instance, change the port where I contact apache, and apache sends  
> me to the
> second instance.

I can't follow that.

Helge
-- 
Helge Hess
http://www.helgehess.eu/