Hi to all.
I discovered a problem with the login, where after
some logins and logouts, every new Login-Attempt kicked me back to the login screen.
Without any mention of a problem in the logs. I searched the forum and found
that some users experienced similar problems.
After some debugging I found the weak point. The
problem is, that the sess_read and sess_write methods that are used during
logout and also used from the periodical mail checking process, are not “synchronized”
(thread-safe). So it is possible that the two events occur at the same time:
The events occur in the following order:
1. Logout calls sess_read
2. Periodical Mail Check calls sess_read
3. Logout calls sess_write (with $vars (temp|b:1))
4. Periodical Mail Check calls sess_write ($vars without temp)
Step 4 (“mail check”) overwrites the
Session-Parameters from Step 3 (“logout”). The concrete problem in
this case is the temp-Parameter. Next login, session_start reads in the session
parameter, where “temp” must be true, to start a new session. Otherwise
when (“temp” == false), roundcube expects a valid session and tries
to resume that session. (In index.php $_SESSION[‘temp’] will be checked
but fails.)
The only way a new login is possible, is to reset the
cookies (restart IE and delete cookies in Firefox).
From my point of view, the session handlers
(session_start(), session_destroy() and session_regenerate_id()) must be
atomic. So the session handler must have exclusive access to the custom session
methods in session.inc.
Micha.