Hi Rich,
I think you got something wrong here. First, there's a session timeout you can configure in your main.inc.php file. This is set to 10 minutes by default. When RoundCube is opened in your browser, it sends a keep-alive signal every minute to keep the session up.
Second, the _auth value is not a cookie (yes, it never exists) but a GET or POST parameter as you can see in your browser's location bar. Setting a cookie does not solve any problem here.
Target of that hash was to increase security be checking the URL hash against the value stored in the session (identified by the cookie). If you return to RoundCube once you've left it, your browser still sends the session cookie (it might still be valid) but the _auth hash is missing and your session is considered invalid.
This _auth hash is subject to be removed and to be replaced by a second cookie that will change it's value in a specific interval. (Ticket #1483811)
Regards, Thomas
richs@whidbey.net wrote:
I didn't see it listed in the trac Tickets, but I wanted to see if this was a bug.
Login into Roundcube, and then leave by visiting another site, closing the window, etc. Now return to the main Roundcube index (e.g. www.domain.com/webmail). You'll see "Your session is invalid", even though your session is only seconds/minutes old, and you'll need to re-login.
I found that this error was being produced from "login.php", at line 174:
if ($_auth !== $sess_auth
Because "$_auth" has no value, set on line 92:
$_auth = get_input_value('_auth', RCUBE_INPUT_GPC);
Which looks for an "_auth" cookie, which never exists.
I fixed this by setting the "_auth" cookie when the session is created. Added at line 101 in "program/include/main.inc":
setcookie("_auth",$sess_auth);
Is this OK? Would it be better to remove the "$_auth !== $sess_auth" test altogether? (everything seemed to work when I did that, since "sess_auth" is used where important?).
Rich