"Your session is invalid..." Fix (?)

richs at whidbey.net richs at whidbey.net
Wed May 31 18:28:51 CEST 2006

On May 31, 2006, at 8:57 AM, Brett Patterson - Roundcube Forum Admin  

> richs at whidbey.net wrote:
>> That should be "index.php" not "login.php" of course. :)
>> On May 31, 2006, at 8:40 AM, richs at whidbey.net wrote:
>>> I didn't see it listed in the trac Tickets, but I wanted to see  
>>> if this was a bug.
>>> Login into Roundcube, and then leave by visiting another site,  
>>> closing the window, etc.  Now return to the main Roundcube index  
>>> (e.g. www.domain.com/webmail).  You'll see "Your session is  
>>> invalid", even though your session is only seconds/minutes old,  
>>> and you'll need to re-login.
>>> I found that this error was being produced from "login.php", at  
>>> line 174:
>>>     if ($_auth !== $sess_auth
>>> Because "$_auth" has no value, set on line 92:
>>>     $_auth = get_input_value('_auth', RCUBE_INPUT_GPC);
>>> Which looks for an "_auth" cookie, which never exists.
>>> I fixed this by setting the "_auth" cookie when the session is  
>>> created.  Added at line 101 in "program/include/main.inc":
>>>     setcookie("_auth",$sess_auth);
>>> Is this OK?  Would it be better to remove the "$_auth !==  
>>> $sess_auth" test altogether? (everything seemed to work when I  
>>> did that, since "sess_auth" is used where important?).
>>> Rich
> It should not be removed.  It's a security check.  What if you got  
> up and left and someone went back in your history and tried to log  
> into your email.  What if roundcube didn't check the session?   
> Would you really want /anyone/ to be able to see/send email from  
> your account?
> I think it should be left in.  If you don't want to leave the  
> webmail system, get a real browser like Firefox/Opera and don't use  
> IE.

As it is right now, the "$_auth !== $sess_auth" test doesn't work.  
That's the only point I wanted to make. :)

I agree that it shouldn't be removed, but fixed instead (by setting  

Remember that if you don't click "Log Out", the session won't be  
destroyed, and it's true..  someone will be able to use your Back/ 
History to access your mail (until the session times out).  That  
applies to all browsers.

More information about the Dev mailing list