"Your session is invalid..." Fix (?)

Brett Patterson - Roundcube Forum Admin brett at roundcubeforum.net
Wed May 31 18:13:12 CEST 2006


Chris Richardson wrote:
> in regards to the browsers ie is the most used brower and some of us 
> dont have a choice we are required to use it for work. also opera also 
> does the same thing as he stated.
>
> Brett Patterson - Roundcube Forum Admin wrote:
>> richs at whidbey.net wrote:
>>> That should be "index.php" not "login.php" of course. :)
>>>
>>> On May 31, 2006, at 8:40 AM, richs at whidbey.net wrote:
>>>
>>>> I didn't see it listed in the trac Tickets, but I wanted to see if 
>>>> this was a bug.
>>>>
>>>> Login into Roundcube, and then leave by visiting another site, 
>>>> closing the window, etc.  Now return to the main Roundcube index 
>>>> (e.g. www.domain.com/webmail).  You'll see "Your session is 
>>>> invalid", even though your session is only seconds/minutes old, and 
>>>> you'll need to re-login.
>>>>
>>>> I found that this error was being produced from "login.php", at 
>>>> line 174:
>>>>
>>>>     if ($_auth !== $sess_auth
>>>>
>>>> Because "$_auth" has no value, set on line 92:
>>>>
>>>>     $_auth = get_input_value('_auth', RCUBE_INPUT_GPC);
>>>>
>>>> Which looks for an "_auth" cookie, which never exists.
>>>>
>>>> I fixed this by setting the "_auth" cookie when the session is 
>>>> created.  Added at line 101 in "program/include/main.inc":
>>>>
>>>>     setcookie("_auth",$sess_auth);
>>>>
>>>> Is this OK?  Would it be better to remove the "$_auth !== 
>>>> $sess_auth" test altogether? (everything seemed to work when I did 
>>>> that, since "sess_auth" is used where important?).
>>>>
>>>> Rich
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>> It should not be removed.  It's a security check.  What if you got up 
>> and left and someone went back in your history and tried to log into 
>> your email.  What if roundcube didn't check the session?  Would you 
>> really want /anyone/ to be able to see/send email from your account?
>>
>> I think it should be left in.  If you don't want to leave the webmail 
>> system, get a real browser like Firefox/Opera and don't use IE.
>>
>
i was referring to tabbed browsing ;)

-- 
~  Brett  Patterson  ~
Roundcube Forum  Admin
www.roundcubeforum.net





More information about the Dev mailing list