"Your session is invalid..." Fix (?)
roundcube at gmail.com
Thu Jun 1 08:48:47 CEST 2006
I think you got something wrong here. First, there's a session timeout
you can configure in your main.inc.php file. This is set to 10 minutes
by default. When RoundCube is opened in your browser, it sends a
keep-alive signal every minute to keep the session up.
Second, the _auth value is not a cookie (yes, it never exists) but a GET
or POST parameter as you can see in your browser's location bar. Setting
a cookie does not solve any problem here.
Target of that hash was to increase security be checking the URL hash
against the value stored in the session (identified by the cookie). If
you return to RoundCube once you've left it, your browser still sends
the session cookie (it might still be valid) but the _auth hash is
missing and your session is considered invalid.
This _auth hash is subject to be removed and to be replaced by a second
cookie that will change it's value in a specific interval. (Ticket #1483811)
richs at whidbey.net wrote:
> I didn't see it listed in the trac Tickets, but I wanted to see if this
> was a bug.
> Login into Roundcube, and then leave by visiting another site, closing
> the window, etc. Now return to the main Roundcube index (e.g.
> www.domain.com/webmail). You'll see "Your session is invalid", even
> though your session is only seconds/minutes old, and you'll need to
> I found that this error was being produced from "login.php", at line 174:
> if ($_auth !== $sess_auth
> Because "$_auth" has no value, set on line 92:
> $_auth = get_input_value('_auth', RCUBE_INPUT_GPC);
> Which looks for an "_auth" cookie, which never exists.
> I fixed this by setting the "_auth" cookie when the session is created.
> Added at line 101 in "program/include/main.inc":
> Is this OK? Would it be better to remove the "$_auth !== $sess_auth"
> test altogether? (everything seemed to work when I did that, since
> "sess_auth" is used where important?).
More information about the Dev