I didn't see it listed in the trac Tickets, but I wanted to see if
this was a bug.
Login into Roundcube, and then leave by visiting another site,
closing the window, etc. Now return to the main Roundcube index
(e.g. www.domain.com/webmail). You'll see "Your session is invalid",
even though your session is only seconds/minutes old, and you'll need
to re-login.
I found that this error was being produced from "login.php", at line
174:
if ($_auth !== $sess_auth
Because "$_auth" has no value, set on line 92:
$_auth = get_input_value('_auth', RCUBE_INPUT_GPC);
Which looks for an "_auth" cookie, which never exists.
I fixed this by setting the "_auth" cookie when the session is
created. Added at line 101 in "program/include/main.inc":
setcookie("_auth",$sess_auth);
Is this OK? Would it be better to remove the "$_auth !== $sess_auth"
test altogether? (everything seemed to work when I did that, since
"sess_auth" is used where important?).
Rich
That should be "index.php" not "login.php" of course. :)
On May 31, 2006, at 8:40 AM, richs@whidbey.net wrote:
I didn't see it listed in the trac Tickets, but I wanted to see if
this was a bug.Login into Roundcube, and then leave by visiting another site,
closing the window, etc. Now return to the main Roundcube index
(e.g. www.domain.com/webmail). You'll see "Your session is
invalid", even though your session is only seconds/minutes old, and
you'll need to re-login.I found that this error was being produced from "login.php", at
line 174:if ($_auth !== $sess_auth
Because "$_auth" has no value, set on line 92:
$_auth = get_input_value('_auth', RCUBE_INPUT_GPC);
Which looks for an "_auth" cookie, which never exists.
I fixed this by setting the "_auth" cookie when the session is
created. Added at line 101 in "program/include/main.inc":setcookie("_auth",$sess_auth);
Is this OK? Would it be better to remove the "$_auth !==
$sess_auth" test altogether? (everything seemed to work when I did
that, since "sess_auth" is used where important?).Rich
richs@whidbey.net wrote:
That should be "index.php" not "login.php" of course. :)
On May 31, 2006, at 8:40 AM, richs@whidbey.net wrote:
I didn't see it listed in the trac Tickets, but I wanted to see if this was a bug.
Login into Roundcube, and then leave by visiting another site, closing the window, etc. Now return to the main Roundcube index (e.g. www.domain.com/webmail). You'll see "Your session is invalid", even though your session is only seconds/minutes old, and you'll need to re-login.
I found that this error was being produced from "login.php", at line 174:
if ($_auth !== $sess_auth
Because "$_auth" has no value, set on line 92:
$_auth = get_input_value('_auth', RCUBE_INPUT_GPC);
Which looks for an "_auth" cookie, which never exists.
I fixed this by setting the "_auth" cookie when the session is created. Added at line 101 in "program/include/main.inc":
setcookie("_auth",$sess_auth);
Is this OK? Would it be better to remove the "$_auth !== $sess_auth" test altogether? (everything seemed to work when I did that, since "sess_auth" is used where important?).
Rich
It should not be removed. It's a security check. What if you got up and left and someone went back in your history and tried to log into your email. What if roundcube didn't check the session? Would you really want /anyone/ to be able to see/send email from your account?
I think it should be left in. If you don't want to leave the webmail system, get a real browser like Firefox/Opera and don't use IE.
in regards to the browsers ie is the most used brower and some of us dont have a choice we are required to use it for work. also opera also does the same thing as he stated.
Brett Patterson - Roundcube Forum Admin wrote:
richs@whidbey.net wrote:
That should be "index.php" not "login.php" of course. :)
On May 31, 2006, at 8:40 AM, richs@whidbey.net wrote:
I didn't see it listed in the trac Tickets, but I wanted to see if this was a bug.
Login into Roundcube, and then leave by visiting another site, closing the window, etc. Now return to the main Roundcube index (e.g. www.domain.com/webmail). You'll see "Your session is invalid", even though your session is only seconds/minutes old, and you'll need to re-login.
I found that this error was being produced from "login.php", at line 174:
if ($_auth !== $sess_auth
Because "$_auth" has no value, set on line 92:
$_auth = get_input_value('_auth', RCUBE_INPUT_GPC);
Which looks for an "_auth" cookie, which never exists.
I fixed this by setting the "_auth" cookie when the session is created. Added at line 101 in "program/include/main.inc":
setcookie("_auth",$sess_auth);
Is this OK? Would it be better to remove the "$_auth !== $sess_auth" test altogether? (everything seemed to work when I did that, since "sess_auth" is used where important?).
Rich
It should not be removed. It's a security check. What if you got up and left and someone went back in your history and tried to log into your email. What if roundcube didn't check the session? Would you really want /anyone/ to be able to see/send email from your account?
I think it should be left in. If you don't want to leave the webmail system, get a real browser like Firefox/Opera and don't use IE.
richs@whidbey.net wrote:
I didn't see it listed in the trac Tickets, but I wanted to see if this was a bug.
Login into Roundcube, and then leave by visiting another site, closing the window, etc. Now return to the main Roundcube index (e.g. www.domain.com/webmail). You'll see "Your session is invalid", even though your session is only seconds/minutes old, and you'll need to re-login.
As far as I know, re-opening a new window creates a new session... What's probably happening (please correct me if i'm wrong) is that your remote IP is matched with a session ID. Whan you close you windows and re-open a new one, you get a new session ID which and the saved remote IP does not match with this new session ID ==> "Your session is invalid"
Chris Richardson wrote:
in regards to the browsers ie is the most used brower and some of us dont have a choice we are required to use it for work. also opera also does the same thing as he stated.
Brett Patterson - Roundcube Forum Admin wrote:
richs@whidbey.net wrote:
That should be "index.php" not "login.php" of course. :)
On May 31, 2006, at 8:40 AM, richs@whidbey.net wrote:
I didn't see it listed in the trac Tickets, but I wanted to see if this was a bug.
Login into Roundcube, and then leave by visiting another site, closing the window, etc. Now return to the main Roundcube index (e.g. www.domain.com/webmail). You'll see "Your session is invalid", even though your session is only seconds/minutes old, and you'll need to re-login.
I found that this error was being produced from "login.php", at line 174:
if ($_auth !== $sess_auth
Because "$_auth" has no value, set on line 92:
$_auth = get_input_value('_auth', RCUBE_INPUT_GPC);
Which looks for an "_auth" cookie, which never exists.
I fixed this by setting the "_auth" cookie when the session is created. Added at line 101 in "program/include/main.inc":
setcookie("_auth",$sess_auth);
Is this OK? Would it be better to remove the "$_auth !== $sess_auth" test altogether? (everything seemed to work when I did that, since "sess_auth" is used where important?).
Rich
It should not be removed. It's a security check. What if you got up and left and someone went back in your history and tried to log into your email. What if roundcube didn't check the session? Would you really want /anyone/ to be able to see/send email from your account?
I think it should be left in. If you don't want to leave the webmail system, get a real browser like Firefox/Opera and don't use IE.
i was referring to tabbed browsing ;)
On Wed, May 31, 2006 11:02 am, Chris Richardson wrote:
in regards to the browsers ie is the most used brower and some of us dont have a choice we are required to use it for work. also opera also does the same thing as he stated.
when you end a phone call, even seconds later you cannot pick up the phone and expect to be connected to the person you just talked to. This is how sessions _should_ work in the web context. A session is a 'period devoted to an activity'. By closing the window, or leaving to another site, you are in effect, 'ending your session', therefore the way it works is correct. Regardless of browser used...
On May 31, 2006, at 8:57 AM, Brett Patterson - Roundcube Forum Admin
wrote:
richs@whidbey.net wrote:
That should be "index.php" not "login.php" of course. :)
On May 31, 2006, at 8:40 AM, richs@whidbey.net wrote:
I didn't see it listed in the trac Tickets, but I wanted to see
if this was a bug.Login into Roundcube, and then leave by visiting another site,
closing the window, etc. Now return to the main Roundcube index
(e.g. www.domain.com/webmail). You'll see "Your session is
invalid", even though your session is only seconds/minutes old,
and you'll need to re-login.I found that this error was being produced from "login.php", at
line 174:if ($_auth !== $sess_auth
Because "$_auth" has no value, set on line 92:
$_auth = get_input_value('_auth', RCUBE_INPUT_GPC);
Which looks for an "_auth" cookie, which never exists.
I fixed this by setting the "_auth" cookie when the session is
created. Added at line 101 in "program/include/main.inc":setcookie("_auth",$sess_auth);
Is this OK? Would it be better to remove the "$_auth !==
$sess_auth" test altogether? (everything seemed to work when I
did that, since "sess_auth" is used where important?).Rich
It should not be removed. It's a security check. What if you got
up and left and someone went back in your history and tried to log
into your email. What if roundcube didn't check the session?
Would you really want /anyone/ to be able to see/send email from
your account?I think it should be left in. If you don't want to leave the
webmail system, get a real browser like Firefox/Opera and don't use
IE.
As it is right now, the "$_auth !== $sess_auth" test doesn't work.
That's the only point I wanted to make. :)
I agree that it shouldn't be removed, but fixed instead (by setting
_auth).
Remember that if you don't click "Log Out", the session won't be
destroyed, and it's true.. someone will be able to use your Back/
History to access your mail (until the session times out). That
applies to all browsers.
Hi Rich,
I think you got something wrong here. First, there's a session timeout you can configure in your main.inc.php file. This is set to 10 minutes by default. When RoundCube is opened in your browser, it sends a keep-alive signal every minute to keep the session up.
Second, the _auth value is not a cookie (yes, it never exists) but a GET or POST parameter as you can see in your browser's location bar. Setting a cookie does not solve any problem here.
Target of that hash was to increase security be checking the URL hash against the value stored in the session (identified by the cookie). If you return to RoundCube once you've left it, your browser still sends the session cookie (it might still be valid) but the _auth hash is missing and your session is considered invalid.
This _auth hash is subject to be removed and to be replaced by a second cookie that will change it's value in a specific interval. (Ticket #1483811)
Regards, Thomas
richs@whidbey.net wrote:
I didn't see it listed in the trac Tickets, but I wanted to see if this was a bug.
Login into Roundcube, and then leave by visiting another site, closing the window, etc. Now return to the main Roundcube index (e.g. www.domain.com/webmail). You'll see "Your session is invalid", even though your session is only seconds/minutes old, and you'll need to re-login.
I found that this error was being produced from "login.php", at line 174:
if ($_auth !== $sess_auth
Because "$_auth" has no value, set on line 92:
$_auth = get_input_value('_auth', RCUBE_INPUT_GPC);
Which looks for an "_auth" cookie, which never exists.
I fixed this by setting the "_auth" cookie when the session is created. Added at line 101 in "program/include/main.inc":
setcookie("_auth",$sess_auth);
Is this OK? Would it be better to remove the "$_auth !== $sess_auth" test altogether? (everything seemed to work when I did that, since "sess_auth" is used where important?).
Rich
That makes sense. Sorry for my confusion there,
Rich
On May 31, 2006, at 11:48 PM, Thomas Bruederli wrote:
Hi Rich,
I think you got something wrong here. First, there's a session timeout you can configure in your main.inc.php file. This is set to 10 minutes by default. When RoundCube is opened in your browser, it sends a keep-alive signal every minute to keep the session up.
Second, the _auth value is not a cookie (yes, it never exists) but
a GET or POST parameter as you can see in your browser's location bar.
Setting a cookie does not solve any problem here.Target of that hash was to increase security be checking the URL hash against the value stored in the session (identified by the cookie). If you return to RoundCube once you've left it, your browser still sends the session cookie (it might still be valid) but the _auth hash is missing and your session is considered invalid.
This _auth hash is subject to be removed and to be replaced by a
second cookie that will change it's value in a specific interval. (Ticket
#1483811)Regards, Thomas
richs@whidbey.net wrote:
I didn't see it listed in the trac Tickets, but I wanted to see if
this was a bug.Login into Roundcube, and then leave by visiting another site,
closing the window, etc. Now return to the main Roundcube index (e.g. www.domain.com/webmail). You'll see "Your session is invalid", even though your session is only seconds/minutes old, and you'll need to re-login.I found that this error was being produced from "login.php", at
line 174:if ($_auth !== $sess_auth
Because "$_auth" has no value, set on line 92:
$_auth = get_input_value('_auth', RCUBE_INPUT_GPC);
Which looks for an "_auth" cookie, which never exists.
I fixed this by setting the "_auth" cookie when the session is
created. Added at line 101 in "program/include/main.inc":setcookie("_auth",$sess_auth);
Is this OK? Would it be better to remove the "$_auth !== $sess_auth" test altogether? (everything seemed to work when I did that, since "sess_auth" is used where important?).
Rich