Hi to all.
I discovered a problem with the login, where after some logins and logouts, every new Login-Attempt kicked me back to the login screen. Without any mention of a problem in the logs. I searched the forum and found that some users experienced similar problems.
After some debugging I found the weak point. The problem is, that the sess_read and sess_write methods that are used during logout and also used from the periodical mail checking process, are not "synchronized" (thread-safe). So it is possible that the two events occur at the same time:
The events occur in the following order:
- Logout calls sess_read
- Periodical Mail Check calls sess_read
- Logout calls sess_write (with $vars (temp|b:1))
- Periodical Mail Check calls sess_write ($vars without temp)
Step 4 ("mail check") overwrites the Session-Parameters from Step 3 ("logout"). The concrete problem in this case is the temp-Parameter. Next login, session_start reads in the session parameter, where "temp" must be true, to start a new session. Otherwise when ("temp" == false), roundcube expects a valid session and tries to resume that session. (In index.php $_SESSION['temp'] will be checked but fails.)
The only way a new login is possible, is to reset the cookies (restart IE and delete cookies in Firefox).
From my point of view, the session handlers (session_start(),
session_destroy() and session_regenerate_id()) must be atomic. So the session handler must have exclusive access to the custom session methods in session.inc.
Micha.
List info: http://lists.roundcube.net/dev/
-
Micha