Ticket #1483986 (Bugs) Session expires

Mr. B. Vrieling bvrieling at tdchristian.ca
Fri Sep 8 03:24:29 CEST 2006

Hi all,

While I won't claim that I have fixed *the* session expiry problem, if the lack of recent complaints from my users is any indication, I have fixed *my* session expiry problem.

Following up on a tip from Thomas, I disabled the rcmail_authenticate_session() function in /program/include/main.inc. As Thomas explained, this piece of code does a double check on a cookie dropped in the client as a security check. To disable it, I changed the "return $valid;" at the end of this function to "return TRUE;" and the complaints I had been receiving died just like that.

DISCLAIMER: While I don't recall changing anything else of significance around the same time, I might have. I have been poking around a little.... So while I *think* the above fixed the problem for me, someone else had better verify it.


On Wed, 6 Sep 2006 11:16:24 -0400, "Mr. B. Vrieling" <bvrieling at tdchristian.ca> wrote:
> Thomas,
> Thanks a lot for your input.
> Further question:
> On Wed, 06 Sep 2006 08:17:56 +0200, Thomas Bruederli <roundcube at gmail.com>
> wrote:
>> Another place to debug this problem is in function
>> rcmail_authenticate_session() which can be found in main.inc. If you set
>> $CONFIG['session_lifetime'] to FALSE, the time check will be avoided but
>> the validity of the session still will be checked in
>> rcmail_authenticate_session()
> Is that a new change? In beta2, session_lifetime is a value, not a
> boolean. If I were to set it to FALSE, some of the math would be odd....
> like here:
> ini_set('session.gc_maxlifetime', ($CONFIG['session_lifetime']+2)*60);
>> Some time ago, I removed the _auth hash in all URLs and added a second
>> cookie that changes every 5 minutes. When the client sends it's
>> keep-alive signal, a new cookie will be sent. To disable this security
>> check, you simple let rcmail_authenticate_session() always return true.
>> I hope these explanations will help you debug this. I'm really keen on
>> what's the problem here...
> I'll poke, and report back what I find.
> Thanks for the help!
> ..Bruce

More information about the Dev mailing list