Roundcube starts a session even if a user is not logged in. Is it really necessary? IMO, it isn't.
Roundcube starts a session even if a user is not logged in. Is it really necessary? IMO, it isn't.
A background information: I run several cron jobs which are using Roundcube's startup hook. Starting the session on 'startup' blows up the session table dramatically. If you need to start the session before the user authenticated then I'd like to ask if it is possible to a param (f.e. &_nosess=1) not to start the session.
On 22 May 2014, at 08:52, Rosali myroundcube@mail4us.net wrote:
Roundcube starts a session even if a user is not logged in. Is it really necessary? IMO, it isn't.
A background information: I run several cron jobs which are using Roundcube's startup hook. Starting the session on 'startup' blows up the session table dramatically. If you need to start the session before the user authenticated then I'd like to ask if it is possible to a param (f.e. &_nosess=1) not to start the session.
I posted about this in 2012. Another important reason not to start sessions on startup is loadbalancer health checks. We have 17 roundcube servers all being health checked every few seconds on the same session table. Im now doing health checks on a deep link into the apache process so rc isnt being touched, but that way I cant really be certain rc is working.
Cor
On Thu, May 22, 2014 at 7:03 AM, Rosali myroundcube@mail4us.net wrote:
Roundcube starts a session even if a user is not logged in. Is it really necessary? IMO, it isn't.
We use this to check whether the user's browser supports cookies. If the login request doesn't come with a valid session cookie, we can display a proper warning about disabled cookies. One can argue that this isn't necessary but that's a reason for starting session.
But maybe we can move that check to the redirected page after login.
~Thomas
On 05/22/2014 10:16 AM, Thomas Bruederli wrote:
We use this to check whether the user's browser supports cookies. If the login request doesn't come with a valid session cookie, we can display a proper warning about disabled cookies. One can argue that this isn't necessary but that's a reason for starting session.
But maybe we can move that check to the redirected page after login.
I think we can check cookie support in javascript on login page.
What about security token, can we have it without session?
What about security token, can we have it without session?
no
but you don't need a token nor a session if(PHP_SAPI == 'cli')
if(PHP_SAPI != 'cli') { // session code; }
I think that's not the point, because sessions are not started in CLI mode. See rcube.php, session_init:
// start PHP session (if not in CLI mode)
if ($_SERVER['REMOTE_ADDR']) {
$this->session->start();
}
Not all crons run in CLI mode. You can't run in CLI mode if you want to give users the ability to use external cronjob services unless you use a script which is called by the external service by HTTP to start a shell script.
If the session start is necessary for CSFR prevention then please think about the suggested GET param (_nosess=1).
Roundcube Development discussion mailing list dev@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/dev
Am 22.05.2014 10:41, schrieb Rosali:
Not all crons run in CLI mode. You can't run in CLI mode if you want to give users the ability to use external cronjob services unless you use a script which is called by the external service by HTTP to start a shell script.
which completly defeats the idea of CSRF
If the session start is necessary for CSFR prevention then please think about the suggested GET param (_nosess=1)