Question for the future of Thunderbird/lightning and its cookie management


#1

Hi,

we are currently investigating the cookie management of lightning/thunderbird when two or more *Dav connections from the same endpoint to the same server but with different user authentications are used. Is owncloud actually generating and maintaining individual “sessions” for each user or will all users be on the same session (which does not work of course)?

We currently only have one cookie store per server/origin and are evaluating if it is worth to change that. If owncloud is not maintaining individual sessions, this would be useless of course.

At the moment, the only way to have two or more connections to the same server but with different user authentications is by rejecting cookies.

Is there any drawback from rejecting cookies besides more overhead on the servers auth module? Are there any security issues?

Thanks for your help,
John


#2

I do not accept cookies in thunderbird, and I’m unaware of any drawback. I’m connecting to several calendars and addressbooks, but all on the same user account.


#3

Yes, we consider that as a workaround. The only workaround* to make this currently work.

We have to decide, if lightning will now always reject cookies (regardless of any global setting) if more than one calender (with different user auth) of the same server is added, or if we can fix the cookie management.

If the server side is not maintaining different sessions for these connections, we cannot fix that on our side and than I would enforce to reject cookies on these connections.

Also if there is no real gain in using sessions here, I would also like to reject cookies on (all?) lightning connections…

Edit: * You also have to bypass the PasswordManager and add your credentials to the CalDAV URL like https://user:password@host/… but that is of course not advised, which is why we want to fix this now once and for all.