Martin Marques wrote:
On Fri, 8 Sep 2006, Thomas Bruederli wrote:
What's this discussion all about? RoundCube has a session timeout for security reasons, which can be turned off by configuration. Please, no more discussion about advantages and disadvantages of session timeouts or about intelligent and stupid users!
How can it be turned off? I remember you saying that $rcmail_config['session_lifetime'] = false disables it, but someone some doubts about that.
Trust me, you can. But this setting isn't the reason for the session problems anyway.
A session failure could occur if a request (like draft saving [btw. yes, we already have an automatic draft saving mechanism!]) takes a lot of time. In that case, the cookie could be switched to a new value but the HTTP header has not been sent to the client yet. If the keep-alive request is sent in the meantime, it arrives with the "old" cookie value which will cause RoundCube to deny the request and send a redirect to the login screen.
Besides the draft saving, could this also happen when deleting lots of mails, one at a time? Like hitting constantly the delete botton?
Could be. It actually can happen when there are concurrent requests and one of them gets a new cookie value. To prevent problems here, the "old" cookie will still be accepted as well in revision 338.
Beside the draft saving, the client will still send the keep alive requests while composing a message. I can leave Roundcube open in compose mode for hours and my session does not time out.
~Thomas