On 8/10/07, Sebastian Petters / 4wd media sebastian.petters@4wdmedia.de wrote:
Dear RoundCube developers,
first of all thank you for the development of RoundCube! Even in this pre-1.0 state, this project looks very promising. I'm looking forward for the further development.
For a customer we are using an ini-setting session.cookie_lifetime which is non-zero, so the session is still open if the browser gets closed. With this setting, a login to RoundCube was not possible. I tracked the problem down to the function sess_regenerate_id() in program/include/session.inc. The parameters passed to the call to setcookie are not right. A possible solution may be the following:
session_id($random); $cookie = session_get_cookie_params();
- setcookie(session_name(), $random, $cookie['lifetime'], $cookie['path']);
$expire = ($cookie['lifetime'] == 0) ? 0 : time() + $cookie['lifetime'];
setcookie(session_name(), $random, $expire, $cookie['path']);
return true;
setcookie does not expect the lifetime but an expiry unix timestamp. If the cookie lifetime is 0 (session cookie) nothing changes. Otherwise, if the lifetime is non-zero we need to add the current time.
Standard behavior on webmails is, that when you close the browser, the session is gone. I wouldn't want it any other way. Of course this is not as "important" as online banking but on the other hand important enough.
I think what you are asking for would ask for a config-option, so if you implement it that way I would have no objections. ;-)
Feedback?
I'm sorry for not using your bugtracker, but i didn't find a "report bug" form. Anyhow, i hope the patch will get applied.
We run everything on http://trac.roundcube.net
Till _______________________________________________ List info: http://lists.roundcube.net/dev/