"Your session is invalid..." Fix (?)

Chris Richardson crichardson at cantella.com
Wed May 31 18:02:17 CEST 2006


in regards to the browsers ie is the most used brower and some of us 
dont have a choice we are required to use it for work. also opera also 
does the same thing as he stated.

Brett Patterson - Roundcube Forum Admin wrote:
> richs at whidbey.net wrote:
>> That should be "index.php" not "login.php" of course. :)
>>
>> On May 31, 2006, at 8:40 AM, richs at whidbey.net wrote:
>>
>>> I didn't see it listed in the trac Tickets, but I wanted to see if 
>>> this was a bug.
>>>
>>> Login into Roundcube, and then leave by visiting another site, 
>>> closing the window, etc.  Now return to the main Roundcube index 
>>> (e.g. www.domain.com/webmail).  You'll see "Your session is invalid", 
>>> even though your session is only seconds/minutes old, and you'll need 
>>> to re-login.
>>>
>>> I found that this error was being produced from "login.php", at line 
>>> 174:
>>>
>>>     if ($_auth !== $sess_auth
>>>
>>> Because "$_auth" has no value, set on line 92:
>>>
>>>     $_auth = get_input_value('_auth', RCUBE_INPUT_GPC);
>>>
>>> Which looks for an "_auth" cookie, which never exists.
>>>
>>> I fixed this by setting the "_auth" cookie when the session is 
>>> created.  Added at line 101 in "program/include/main.inc":
>>>
>>>     setcookie("_auth",$sess_auth);
>>>
>>> Is this OK?  Would it be better to remove the "$_auth !== $sess_auth" 
>>> test altogether? (everything seemed to work when I did that, since 
>>> "sess_auth" is used where important?).
>>>
>>> Rich
>>>
>>>
>>>
>>>
>>
>>
>>
> It should not be removed.  It's a security check.  What if you got up 
> and left and someone went back in your history and tried to log into 
> your email.  What if roundcube didn't check the session?  Would you 
> really want /anyone/ to be able to see/send email from your account?
> 
> I think it should be left in.  If you don't want to leave the webmail 
> system, get a real browser like Firefox/Opera and don't use IE.
> 

-- 
Chris Richardson
Network & Unix Administrator
Cantella & Co., Inc. (http://www.cantella.com)
2 Oliver Street, 11th Floor
Boston, MA 02109
(617)224-1438 - direct
(617)521-8630 - office
(617)521-8604 - fax

The information transmitted is intended only for the person or entity 
to which it is addressed and may contain confidential and/or 
privileged material. Any review, retransmission, dissemination or
other use of, or taking of any action in reliance upon, this information
by persons or entities other than the intended recipient is prohibited.
If you received this in error, please contact the sender and delete this
material from any computer.

In accordance with industry regulations, all messages are retained and are subject to monitoring. 

This message has been scanned for viruses and dangerous content and is believed to be clean. 

Securities offered through Cantella & Co., Inc., Member NASD/SIPC. 
Home Office: 2 Oliver Street, 11th Floor, Boston, MA 02109
Telephone: (617)521-8630





More information about the Dev mailing list