From chris.hembrow+mail-rc@pixelseventy2.net Sat Jul 14 15:57:34 2007
From: rc mail <chris.hembrow+mail-rc@pixelseventy2.net>
To: dev@lists.roundcube.net
Subject: Re: Session timeout, has to be top priority!!!
Date: Fri, 08 Sep 2006 04:25:26 -0400
Message-ID: <2a59c6be6ac3ec3c4ee9cea1b715dda0@localhost>
In-Reply-To: <c26e5bfc7e57a230dccc5485a8bbedab@localhost>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4802368641911320800=="

--===============4802368641911320800==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Just my tuppence worth. Sessions expire when there is no activity between the=
 client and the web server for a given session, for the given timeout. In tra=
ditional asp, the default was 20 minutes, in Tomcat (Java) it is 30. I'm not =
sure about PHP.=20

As someone suggested before, an autosave feature could help with this. If the=
 timeout is 20 minutes, an auto-save (triggered by a javascript timer on the =
compose page) every 5 minutes, would prompt a client-server communication, an=
d reset the session timeout back to 20 minutes.=20

I've not looked too closely, but including something like this on the compose=
 page should fix this.
<script>
// auto-save the draft every 5 minutes
setInterval( "rcmail.command('savedraft','',null)", 5*60*60*1000 );
</script>

Including this on the compose page should fix the timeout when writing an ema=
il, but it would still apply everywhere else in RC.

Apologies if this has already been suggested, or is complete bolx

Pixel

On Thu, 7 Sep 2006 23:30:06 -0500, Brennan Stehling <brennan(a)offwhite.net> =
wrote:
> That is exactly right.  And beyond timing out during an email composition,
> in Firefox once it kicks you out to that page you cannot simply go back
> and copy the text you were writing.  The timeout may be set to 20 minutes,
> but should work as a sliding window which is extended each time you take an
> action.
>=20
> And you can monitor if someone is pressing the keys while in the
> composition window.  Activity during composition should slide the window.
>=20
> Brennan
>=20
> On Thu, 7 Sep 2006 20:12:36 -0600, Eric Stadtherr <estadtherr(a)gmail.com>
> wrote:
>> Forgive me if I'm stating the obvious, but it seems like the debate
>> is centering around the question of, "Is the timeout useful?" This
>> seems like a completely different question from "Why is my session
>> expiring even though I'm actively using RoundCube?" If the session
>> management were working correctly, the sessions wouldn't be timing
>> out during message composition and we wouldn't be discussing the
>> first question at all.
>>
>> Am I missing something?
>>
>>
>> On Sep 7, 2006, at 7:37 PM, Sergio A. Kessler wrote:
>>
>>> it seems gmail does the rigth thing.
>>>
>>> but, by far, the most common scenario is a writed lost mail because of
>>> a session timeout, and this is happening to a lot of people (as you
>>> can see), just because someone want to help an *eventual* and
>>> *hipotetical* stupid user that maybe forgot to close the mail...
>>>
>>>
>>> On 9/7/06, Mark Edwards <mark(a)antsclimbtree.com> wrote:
>>>> I don't see how this kind of attitude can possibly help Roundcube.
>>>>
>>>> Squirrelmail has a timeout, as does Webmin, Cacti, and nearly every
>>>> other web interface that has a login.
>>>>
>>>> I am amazed that this is even an issue.
>>>>
>>>> I agree that the timeout needs to not threaten the usability of the
>>>> app, and that needs discussion, but saying "screw people if they
>>>> don't log out" is ridiculous for an application that is supposed to
>>>> offer a user-friendly interface for novices to use their email.
>>>>
>>>> On Sep 7, 2006, at 5:24 PM, Sergio A. Kessler wrote:
>>>>
>>>> > and how do you stop people from doing stupids things ?
>>>> > and where do you draw the line ?
>>>> >
>>>> > I mean, if I delete an important file or mail and clean the trash,
>>>> > how do you stop me ?
>>>> >
>>>> > shit happens, anyway...
>>>> >
>>>> > and doing something that affect to 99% of the people in a bad way,
>>>> > just because we want to "help" a stupid that forget to close the
>>>> mail
>>>> > in a *public* computer, is nonsense IMO...
>>>> >
>>>> > btw, someone knows how does gmail or hotmail manage this ?
>>>> >
>>>> >
>>>> > On 9/7/06, Mark Edwards <mark(a)antsclimbtree.com> wrote:
>>>> >> On Sep 7, 2006, at 4:26 PM, Martin Marques wrote:
>>>> >>
>>>> >> > Closing the navegator SHOULD kill the session, AFAIK.
>>>> >> >
>>>> >> > So, the only reason I see is if you leave the web browser open.
>>>> >>
>>>> >> Why is that not a good enough reason for a timeout safety feature?
>>>> >> Someone can have it open but hidden and not realize it.
>>>> >>
>>>> >> Just because someone does something stupid or wrong doesn't mean
>>>> >> there shouldn't be a safety feature to help them.
>>>> >>
>>>> >> --
>>>> >> Mark Edwards
>>>> >>
>>>> >>
>>>> >>
>>>> >>
>>>> >>
>>>>
>>>>
>>>> --
>>>> Mark Edwards
>>>>
>>>>
>>>>
>>>
>>>
>=20



--===============4802368641911320800==--