Session timeout, has to be top priority!!!

Martin Marques martin at
Fri Sep 8 14:40:04 CEST 2006

On Fri, 8 Sep 2006, Thomas Bruederli wrote:

> What's this discussion all about? RoundCube has a session timeout for
> security reasons, which can be turned off by configuration. Please, no
> more discussion about advantages and disadvantages of session timeouts
> or about intelligent and stupid users!

How can it be turned off? I remember you saying that 
$rcmail_config['session_lifetime'] = false disables it, but someone some 
doubts about that.

> A session failure could occur if a request (like draft saving [btw. yes,
> we already have an automatic draft saving mechanism!]) takes a lot of
> time. In that case, the cookie could be switched to a new value but the
> HTTP header has not been sent to the client yet. If the keep-alive
> request is sent in the meantime, it arrives with the "old" cookie value
> which will cause RoundCube to deny the request and send a redirect to
> the login screen.

Besides the draft saving, could this also happen when deleting lots of 
mails, one at a time? Like hitting constantly the delete botton?

> With revision 338 I added some fall back for checking this changing
> session cookie. There's also a log file (log/timeouts) that will be
> filled with $_REQUEST and $_SESSION values if the session authorization
> (not session timeout) fails.

Just updated and configured the I'll test it and send feed 

  21:50:04 up 2 days,  9:07,  0 users,  load average: 0.92, 0.37, 0.18
Lic. Martín Marqués         |   SELECT 'mmarques' ||
Centro de Telemática        |       '@' || '';
Universidad Nacional        |   DBA, Programador,
     del Litoral             |   Administrador

More information about the Dev mailing list