"Your session is invalid..." Fix (?)

richs at whidbey.net richs at whidbey.net
Wed May 31 18:28:51 CEST 2006


On May 31, 2006, at 8:57 AM, Brett Patterson - Roundcube Forum Admin  
wrote:

> richs at whidbey.net wrote:
>> That should be "index.php" not "login.php" of course. :)
>>
>> On May 31, 2006, at 8:40 AM, richs at whidbey.net wrote:
>>
>>> I didn't see it listed in the trac Tickets, but I wanted to see  
>>> if this was a bug.
>>>
>>> Login into Roundcube, and then leave by visiting another site,  
>>> closing the window, etc.  Now return to the main Roundcube index  
>>> (e.g. www.domain.com/webmail).  You'll see "Your session is  
>>> invalid", even though your session is only seconds/minutes old,  
>>> and you'll need to re-login.
>>>
>>> I found that this error was being produced from "login.php", at  
>>> line 174:
>>>
>>>     if ($_auth !== $sess_auth
>>>
>>> Because "$_auth" has no value, set on line 92:
>>>
>>>     $_auth = get_input_value('_auth', RCUBE_INPUT_GPC);
>>>
>>> Which looks for an "_auth" cookie, which never exists.
>>>
>>> I fixed this by setting the "_auth" cookie when the session is  
>>> created.  Added at line 101 in "program/include/main.inc":
>>>
>>>     setcookie("_auth",$sess_auth);
>>>
>>> Is this OK?  Would it be better to remove the "$_auth !==  
>>> $sess_auth" test altogether? (everything seemed to work when I  
>>> did that, since "sess_auth" is used where important?).
>>>
>>> Rich
>>
> It should not be removed.  It's a security check.  What if you got  
> up and left and someone went back in your history and tried to log  
> into your email.  What if roundcube didn't check the session?   
> Would you really want /anyone/ to be able to see/send email from  
> your account?
>
> I think it should be left in.  If you don't want to leave the  
> webmail system, get a real browser like Firefox/Opera and don't use  
> IE.

As it is right now, the "$_auth !== $sess_auth" test doesn't work.  
That's the only point I wanted to make. :)

I agree that it shouldn't be removed, but fixed instead (by setting  
_auth).

Remember that if you don't click "Log Out", the session won't be  
destroyed, and it's true..  someone will be able to use your Back/ 
History to access your mail (until the session times out).  That  
applies to all browsers.




More information about the Dev mailing list