On Fri, 8 Sep 2006, Thomas Bruederli wrote:
What's this discussion all about? RoundCube has a session timeout for security reasons, which can be turned off by configuration. Please, no more discussion about advantages and disadvantages of session timeouts or about intelligent and stupid users!
How can it be turned off? I remember you saying that $rcmail_config['session_lifetime'] = false disables it, but someone some doubts about that.
A session failure could occur if a request (like draft saving [btw. yes, we already have an automatic draft saving mechanism!]) takes a lot of time. In that case, the cookie could be switched to a new value but the HTTP header has not been sent to the client yet. If the keep-alive request is sent in the meantime, it arrives with the "old" cookie value which will cause RoundCube to deny the request and send a redirect to the login screen.
Besides the draft saving, could this also happen when deleting lots of mails, one at a time? Like hitting constantly the delete botton?
With revision 338 I added some fall back for checking this changing session cookie. There's also a log file (log/timeouts) that will be filled with $_REQUEST and $_SESSION values if the session authorization (not session timeout) fails.
Just updated and configured the main.inc.php. I'll test it and send feed back.
-- 21:50:04 up 2 days, 9:07, 0 users, load average: 0.92, 0.37, 0.18
Lic. Martín Marqués | SELECT 'mmarques' || Centro de Telemática | '@' || 'unl.edu.ar'; Universidad Nacional | DBA, Programador, del Litoral | Administrador