That is killing me!
In Firefox I have lost multiple emails as I was writing them and then cannot go back and copy out my text. The session timeout should never kick someone out while they are writing an email. It should just block actions done against the server.
-- Brennan Stehling Offwhite.net LLC brennan@offwhite.net
I would guess that it's the automatic save-to-draft that is causing the session to be validated and incorrectly expired. There might be a way to disable this auto-save feature...
Brennan Stehling wrote:
That is killing me!
In Firefox I have lost multiple emails as I was writing them and then cannot go back and copy out my text. The session timeout should never kick someone out while they are writing an email. It should just block actions done against the server.
-- Brennan Stehling Offwhite.net LLC brennan@offwhite.net
On Wed, 6 Sep 2006 22:05:59 -0500, Brennan Stehling brennan@offwhite.net wrote:
That is killing me!
In Firefox I have lost multiple emails as I was writing them and then cannot go back and copy out my text. The session timeout should never kick someone out while they are writing an email. It should just block actions done against the server.
I'm not *positive* this fixed it, but I didn't get kicked out to the login once today. Try session_lifetime at 1000:
[22:59:57] [root@chavez ../www/data/roundcubemail]# diff config/main.inc.php config/main.inc.php~ 100c100
$rcmail_config['session_lifetime'] = 100;
Lemme know, I'll monitor my install and see if I loose any emails that way!
P
-- Brennan Stehling Offwhite.net LLC brennan@offwhite.net
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
-- http://fak3r.com - you don't have to kick it
me too !!
On 9/7/06, Brennan Stehling brennan@offwhite.net wrote:
That is killing me!
In Firefox I have lost multiple emails as I was writing them and then cannot go back and copy out my text. The session timeout should never kick someone out while they are writing an email. It should just block actions done against the server.
-- Brennan Stehling Offwhite.net LLC brennan@offwhite.net
I also am having this problem...
why not close the session just when the browser closes ?
why RC should have a fixed timeout ? outlook doesn't have one, and is doing fine...
that is the best option IMO...
On 9/7/06, Brennan Stehling brennan@offwhite.net wrote:
That is killing me!
In Firefox I have lost multiple emails as I was writing them and then cannot go back and copy out my text. The session timeout should never kick someone out while they are writing an email. It should just block actions done against the server.
-- Brennan Stehling Offwhite.net LLC brennan@offwhite.net
I second that.
On Thu, 7 Sep 2006 11:32:57 -0300, "Sergio A. Kessler" sergiokessler@gmail.com wrote:
I also am having this problem...
why not close the session just when the browser closes ?
why RC should have a fixed timeout ? outlook doesn't have one, and is doing fine...
that is the best option IMO...
On 9/7/06, Brennan Stehling brennan@offwhite.net wrote:
That is killing me!
In Firefox I have lost multiple emails as I was writing them and then
cannot go back and copy out my text. The session timeout should never kick someone out while they are writing an email. It should just block actions done against the server.
-- Brennan Stehling Offwhite.net LLC brennan@offwhite.net
Lic. Martín Marqués | SELECT 'mmarques' || Centro de Telemática | '@' || 'unl.edu.ar'; Universidad Nacional | DBA, Programador, del Litoral | Administrador
Wait a minute, are you guys really suggesting there should be *no*
timeout? One of the primary uses for a webmail client is to view
email on public computers. I sure as heck want to know that if I
somehow fail to logout on a public machine, that my session will be
closed for me.
On Sep 7, 2006, at 2:17 PM, Martin Marques wrote:
I second that.
On Thu, 7 Sep 2006 11:32:57 -0300, "Sergio A. Kessler"
sergiokessler@gmail.com wrote:I also am having this problem...
why not close the session just when the browser closes ?
why RC should have a fixed timeout ? outlook doesn't have one, and is doing fine...
that is the best option IMO...
On 9/7/06, Brennan Stehling brennan@offwhite.net wrote:
That is killing me!
In Firefox I have lost multiple emails as I was writing them and
thencannot go back and copy out my text. The session timeout should
never kick someone out while they are writing an email. It should just
block actions done against the server.-- Brennan Stehling Offwhite.net LLC brennan@offwhite.net
--
Lic. Martín Marqués | SELECT 'mmarques' || Centro de Telemática | '@' || 'unl.edu.ar'; Universidad Nacional | DBA, Programador, del Litoral | Administrador
-- Mark Edwards
On Thu, 7 Sep 2006 14:21:30 -0700, Mark Edwards mark@antsclimbtree.com wrote:
Wait a minute, are you guys really suggesting there should be *no*
timeout? One of the primary uses for a webmail client is to view
email on public computers. I sure as heck want to know that if I
somehow fail to logout on a public machine, that my session will be
closed for me.
Enlighten me: WHat do you mean with "fail to logout"?
Lic. Martín Marqués | SELECT 'mmarques' || Centro de Telemática | '@' || 'unl.edu.ar'; Universidad Nacional | DBA, Programador, del Litoral | Administrador
He's referring to when a person *forgets* to log out.
Martin Marques wrote:
On Thu, 7 Sep 2006 14:21:30 -0700, Mark Edwards mark@antsclimbtree.com wrote:
Wait a minute, are you guys really suggesting there should be *no*
timeout? One of the primary uses for a webmail client is to view
email on public computers. I sure as heck want to know that if I
somehow fail to logout on a public machine, that my session will be
closed for me.Enlighten me: WHat do you mean with "fail to logout"?
--
Lic. Martín Marqués | SELECT 'mmarques' || Centro de Telemática | '@' || 'unl.edu.ar'; Universidad Nacional | DBA, Programador, del Litoral | Administrador
On Sep 7, 2006, at 2:28 PM, Martin Marques wrote:
On Thu, 7 Sep 2006 14:21:30 -0700, Mark Edwards
mark@antsclimbtree.com wrote:Wait a minute, are you guys really suggesting there should be *no* timeout? One of the primary uses for a webmail client is to view email on public computers. I sure as heck want to know that if I somehow fail to logout on a public machine, that my session will be closed for me.
Enlighten me: WHat do you mean with "fail to logout"?
Either forget to logout, or the logout doesn't complete properly for
whatever reason (temporarily lost communication with the server, etc.)
The point isn't *why* the logout fails, the point is that a session
timeout is a safety feature in case, for whatever reason, a logout
doesn't happen.
-- Mark Edwards
On Thu, 7 Sep 2006 14:33:32 -0700, Mark Edwards mark@antsclimbtree.com wrote:
On Sep 7, 2006, at 2:28 PM, Martin Marques wrote:
On Thu, 7 Sep 2006 14:21:30 -0700, Mark Edwards mark@antsclimbtree.com wrote:
Wait a minute, are you guys really suggesting there should be *no* timeout? One of the primary uses for a webmail client is to view email on public computers. I sure as heck want to know that if I somehow fail to logout on a public machine, that my session will be closed for me.
Enlighten me: WHat do you mean with "fail to logout"?
Either forget to logout, or the logout doesn't complete properly for whatever reason (temporarily lost communication with the server, etc.)
The point isn't *why* the logout fails, the point is that a session timeout is a safety feature in case, for whatever reason, a logout doesn't happen.
Closing the navegator SHOULD kill the session, AFAIK.
So, the only reason I see is if you leave the web browser open.
Lic. Martín Marqués | SELECT 'mmarques' || Centro de Telemática | '@' || 'unl.edu.ar'; Universidad Nacional | DBA, Programador, del Litoral | Administrador
On Sep 7, 2006, at 4:26 PM, Martin Marques wrote:
Closing the navegator SHOULD kill the session, AFAIK.
So, the only reason I see is if you leave the web browser open.
Why is that not a good enough reason for a timeout safety feature?
Someone can have it open but hidden and not realize it.
Just because someone does something stupid or wrong doesn't mean
there shouldn't be a safety feature to help them.
-- Mark Edwards
On Sep 7, 2006, at 5:26 PM, Martin Marques wrote:
Closing the navegator SHOULD kill the session, AFAIK.
On a Mac, closing the window does not kill a session - you have to
quit the app. The same thing can happen in Win IE 6 if you have
multiple windows spawned from each other (ctrl-n to create new
window) rather than launching individual instances (at least this
used to be the case - I'm not sure if this behavior has changed since
the last time I checked).
Cheers, --Alex
Personal http://alexking.org Business http://kingdesign.net
It can be helpful to have it log you out automatically if it is a shared computer. But I would like more options on what happens. On Slashdot they have a checkbox next to the login button to indicate if it is a public terminal. I assume that would cause it to behave differently when it is checked or not.
But I would not want to just start adding features which just make things more complicated. Perhaps an option could be added to the Personal Settings to run or off the timeout.
Brennan
On Thu, 7 Sep 2006 17:50:19 -0600, Alex King lists@alexking.org wrote:
On Sep 7, 2006, at 5:26 PM, Martin Marques wrote:
Closing the navegator SHOULD kill the session, AFAIK.
On a Mac, closing the window does not kill a session - you have to quit the app. The same thing can happen in Win IE 6 if you have multiple windows spawned from each other (ctrl-n to create new window) rather than launching individual instances (at least this used to be the case - I'm not sure if this behavior has changed since the last time I checked).
Cheers, --Alex
Personal http://alexking.org Business http://kingdesign.net
-- Brennan Stehling Offwhite.net LLC brennan@offwhite.net
and how do you stop people from doing stupids things ? and where do you draw the line ?
I mean, if I delete an important file or mail and clean the trash, how do you stop me ?
shit happens, anyway...
and doing something that affect to 99% of the people in a bad way, just because we want to "help" a stupid that forget to close the mail in a *public* computer, is nonsense IMO...
btw, someone knows how does gmail or hotmail manage this ?
On 9/7/06, Mark Edwards mark@antsclimbtree.com wrote:
On Sep 7, 2006, at 4:26 PM, Martin Marques wrote:
Closing the navegator SHOULD kill the session, AFAIK.
So, the only reason I see is if you leave the web browser open.
Why is that not a good enough reason for a timeout safety feature? Someone can have it open but hidden and not realize it.
Just because someone does something stupid or wrong doesn't mean there shouldn't be a safety feature to help them.
-- Mark Edwards
GMail allows you to check a box to stay logged in for 2 weeks. Otherwise once you close the browser you are logged out of the system.
I like that approach. But I have been in the middle of writing an email when my session did expire. When I clicked the send button it showed me a message that my session had expired but did not move to a new screen. It allowed me to copy the text of my email so that I can log back in and continue along by pasting in the text again.
I would prefer it to simply prompt me for my password to reset the timeout though. If I am in the middle of something I do not want to be kicked out or interrupted.
Brennan
On Thu, 7 Sep 2006 21:24:07 -0300, "Sergio A. Kessler" sergiokessler@gmail.com wrote:
and how do you stop people from doing stupids things ? and where do you draw the line ?
I mean, if I delete an important file or mail and clean the trash, how do you stop me ?
shit happens, anyway...
and doing something that affect to 99% of the people in a bad way, just because we want to "help" a stupid that forget to close the mail in a *public* computer, is nonsense IMO...
btw, someone knows how does gmail or hotmail manage this ?
On 9/7/06, Mark Edwards mark@antsclimbtree.com wrote:
On Sep 7, 2006, at 4:26 PM, Martin Marques wrote:
Closing the navegator SHOULD kill the session, AFAIK.
So, the only reason I see is if you leave the web browser open.
Why is that not a good enough reason for a timeout safety feature? Someone can have it open but hidden and not realize it.
Just because someone does something stupid or wrong doesn't mean there shouldn't be a safety feature to help them.
-- Mark Edwards
-- Brennan Stehling Offwhite.net LLC brennan@offwhite.net
I don't see how this kind of attitude can possibly help Roundcube.
Squirrelmail has a timeout, as does Webmin, Cacti, and nearly every
other web interface that has a login.
I am amazed that this is even an issue.
I agree that the timeout needs to not threaten the usability of the
app, and that needs discussion, but saying "screw people if they
don't log out" is ridiculous for an application that is supposed to
offer a user-friendly interface for novices to use their email.
On Sep 7, 2006, at 5:24 PM, Sergio A. Kessler wrote:
and how do you stop people from doing stupids things ? and where do you draw the line ?
I mean, if I delete an important file or mail and clean the trash, how do you stop me ?
shit happens, anyway...
and doing something that affect to 99% of the people in a bad way, just because we want to "help" a stupid that forget to close the mail in a *public* computer, is nonsense IMO...
btw, someone knows how does gmail or hotmail manage this ?
On 9/7/06, Mark Edwards mark@antsclimbtree.com wrote:
On Sep 7, 2006, at 4:26 PM, Martin Marques wrote:
Closing the navegator SHOULD kill the session, AFAIK.
So, the only reason I see is if you leave the web browser open.
Why is that not a good enough reason for a timeout safety feature? Someone can have it open but hidden and not realize it.
Just because someone does something stupid or wrong doesn't mean there shouldn't be a safety feature to help them.
-- Mark Edwards
-- Mark Edwards
On Thu, 2006-09-07 at 19:29 -0500, Brennan Stehling wrote:
GMail allows you to check a box to stay logged in for 2 weeks. Otherwise once you close the browser you are logged out of the system.
I like that approach. But I have been in the middle of writing an email when my session did expire. When I clicked the send button it showed me a message that my session had expired but did not move to a new screen. It allowed me to copy the text of my email so that I can log back in and continue along by pasting in the text again.
I would prefer it to simply prompt me for my password to reset the timeout though. If I am in the middle of something I do not want to be kicked out or interrupted.
Hi. I'm new to RC and just downloaded it, but I think it's a great app with a lot of potential. I'd like to slowly become involved with development and have been reading this list.
I know the Microsoft Exchange Web Access does something similar. When you enter your username/password, there's two choices: "Public Computer" (default) which times your session out (after 20 minutes or so) and "Private Computer" which doesn't time you out at all.
Personally, I think this is a great idea -- Allow the user to choose if they want to be logged out automatically, but make sure that the 'public computer' option is default so unknowing users get that.
~Jeff
it seems gmail does the rigth thing.
but, by far, the most common scenario is a writed lost mail because of a session timeout, and this is happening to a lot of people (as you can see), just because someone want to help an *eventual* and *hipotetical* stupid user that maybe forgot to close the mail...
On 9/7/06, Mark Edwards mark@antsclimbtree.com wrote:
I don't see how this kind of attitude can possibly help Roundcube.
Squirrelmail has a timeout, as does Webmin, Cacti, and nearly every other web interface that has a login.
I am amazed that this is even an issue.
I agree that the timeout needs to not threaten the usability of the app, and that needs discussion, but saying "screw people if they don't log out" is ridiculous for an application that is supposed to offer a user-friendly interface for novices to use their email.
On Sep 7, 2006, at 5:24 PM, Sergio A. Kessler wrote:
and how do you stop people from doing stupids things ? and where do you draw the line ?
I mean, if I delete an important file or mail and clean the trash, how do you stop me ?
shit happens, anyway...
and doing something that affect to 99% of the people in a bad way, just because we want to "help" a stupid that forget to close the mail in a *public* computer, is nonsense IMO...
btw, someone knows how does gmail or hotmail manage this ?
On 9/7/06, Mark Edwards mark@antsclimbtree.com wrote:
On Sep 7, 2006, at 4:26 PM, Martin Marques wrote:
Closing the navegator SHOULD kill the session, AFAIK.
So, the only reason I see is if you leave the web browser open.
Why is that not a good enough reason for a timeout safety feature? Someone can have it open but hidden and not realize it.
Just because someone does something stupid or wrong doesn't mean there shouldn't be a safety feature to help them.
-- Mark Edwards
-- Mark Edwards
Forgive me if I'm stating the obvious, but it seems like the debate
is centering around the question of, "Is the timeout useful?" This
seems like a completely different question from "Why is my session
expiring even though I'm actively using RoundCube?" If the session
management were working correctly, the sessions wouldn't be timing
out during message composition and we wouldn't be discussing the
first question at all.
Am I missing something?
On Sep 7, 2006, at 7:37 PM, Sergio A. Kessler wrote:
it seems gmail does the rigth thing.
but, by far, the most common scenario is a writed lost mail because of a session timeout, and this is happening to a lot of people (as you can see), just because someone want to help an *eventual* and *hipotetical* stupid user that maybe forgot to close the mail...
On 9/7/06, Mark Edwards mark@antsclimbtree.com wrote:
I don't see how this kind of attitude can possibly help Roundcube.
Squirrelmail has a timeout, as does Webmin, Cacti, and nearly every other web interface that has a login.
I am amazed that this is even an issue.
I agree that the timeout needs to not threaten the usability of the app, and that needs discussion, but saying "screw people if they don't log out" is ridiculous for an application that is supposed to offer a user-friendly interface for novices to use their email.
On Sep 7, 2006, at 5:24 PM, Sergio A. Kessler wrote:
and how do you stop people from doing stupids things ? and where do you draw the line ?
I mean, if I delete an important file or mail and clean the trash, how do you stop me ?
shit happens, anyway...
and doing something that affect to 99% of the people in a bad way, just because we want to "help" a stupid that forget to close the
in a *public* computer, is nonsense IMO...
btw, someone knows how does gmail or hotmail manage this ?
On 9/7/06, Mark Edwards mark@antsclimbtree.com wrote:
On Sep 7, 2006, at 4:26 PM, Martin Marques wrote:
Closing the navegator SHOULD kill the session, AFAIK.
So, the only reason I see is if you leave the web browser open.
Why is that not a good enough reason for a timeout safety feature? Someone can have it open but hidden and not realize it.
Just because someone does something stupid or wrong doesn't mean there shouldn't be a safety feature to help them.
-- Mark Edwards
-- Mark Edwards
No your not missing something.
Would an AutoSave to Drafts stop the session timing out? Is there an AutoSave feature for the compose window?
I recall getting caught out by this when I spent a long time composing an email but I'm almost 100% certain it was while I was still using SquirrelMail.
Rob.
Eric Stadtherr wrote:
Forgive me if I'm stating the obvious, but it seems like the debate is centering around the question of, "Is the timeout useful?" This seems like a completely different question from "Why is my session expiring even though I'm actively using RoundCube?" If the session management were working correctly, the sessions wouldn't be timing out during message composition and we wouldn't be discussing the first question at all.
Am I missing something?
On Sep 7, 2006, at 7:37 PM, Sergio A. Kessler wrote:
it seems gmail does the rigth thing.
but, by far, the most common scenario is a writed lost mail because of a session timeout, and this is happening to a lot of people (as you can see), just because someone want to help an *eventual* and *hipotetical* stupid user that maybe forgot to close the mail...
On 9/7/06, Mark Edwards mark@antsclimbtree.com wrote:
I don't see how this kind of attitude can possibly help Roundcube.
Squirrelmail has a timeout, as does Webmin, Cacti, and nearly every other web interface that has a login.
I am amazed that this is even an issue.
I agree that the timeout needs to not threaten the usability of the app, and that needs discussion, but saying "screw people if they don't log out" is ridiculous for an application that is supposed to offer a user-friendly interface for novices to use their email.
On Sep 7, 2006, at 5:24 PM, Sergio A. Kessler wrote:
and how do you stop people from doing stupids things ? and where do you draw the line ?
I mean, if I delete an important file or mail and clean the trash, how do you stop me ?
shit happens, anyway...
and doing something that affect to 99% of the people in a bad way, just because we want to "help" a stupid that forget to close the mail in a *public* computer, is nonsense IMO...
btw, someone knows how does gmail or hotmail manage this ?
On 9/7/06, Mark Edwards mark@antsclimbtree.com wrote:
On Sep 7, 2006, at 4:26 PM, Martin Marques wrote:
Closing the navegator SHOULD kill the session, AFAIK.
So, the only reason I see is if you leave the web browser open.
Why is that not a good enough reason for a timeout safety feature? Someone can have it open but hidden and not realize it.
Just because someone does something stupid or wrong doesn't mean there shouldn't be a safety feature to help them.
-- Mark Edwards
-- Mark Edwards
That is exactly right. And beyond timing out during an email composition, in Firefox once it kicks you out to that page you cannot simply go back and copy the text you were writing. The timeout may be set to 20 minutes, but should work as a sliding window which is extended each time you take an action.
And you can monitor if someone is pressing the keys while in the composition window. Activity during composition should slide the window.
Brennan
On Thu, 7 Sep 2006 20:12:36 -0600, Eric Stadtherr estadtherr@gmail.com wrote:
Forgive me if I'm stating the obvious, but it seems like the debate is centering around the question of, "Is the timeout useful?" This seems like a completely different question from "Why is my session expiring even though I'm actively using RoundCube?" If the session management were working correctly, the sessions wouldn't be timing out during message composition and we wouldn't be discussing the first question at all.
Am I missing something?
On Sep 7, 2006, at 7:37 PM, Sergio A. Kessler wrote:
it seems gmail does the rigth thing.
but, by far, the most common scenario is a writed lost mail because of a session timeout, and this is happening to a lot of people (as you can see), just because someone want to help an *eventual* and *hipotetical* stupid user that maybe forgot to close the mail...
On 9/7/06, Mark Edwards mark@antsclimbtree.com wrote:
I don't see how this kind of attitude can possibly help Roundcube.
Squirrelmail has a timeout, as does Webmin, Cacti, and nearly every other web interface that has a login.
I am amazed that this is even an issue.
I agree that the timeout needs to not threaten the usability of the app, and that needs discussion, but saying "screw people if they don't log out" is ridiculous for an application that is supposed to offer a user-friendly interface for novices to use their email.
On Sep 7, 2006, at 5:24 PM, Sergio A. Kessler wrote:
and how do you stop people from doing stupids things ? and where do you draw the line ?
I mean, if I delete an important file or mail and clean the trash, how do you stop me ?
shit happens, anyway...
and doing something that affect to 99% of the people in a bad way, just because we want to "help" a stupid that forget to close the
in a *public* computer, is nonsense IMO...
btw, someone knows how does gmail or hotmail manage this ?
On 9/7/06, Mark Edwards mark@antsclimbtree.com wrote:
On Sep 7, 2006, at 4:26 PM, Martin Marques wrote:
Closing the navegator SHOULD kill the session, AFAIK.
So, the only reason I see is if you leave the web browser open.
Why is that not a good enough reason for a timeout safety feature? Someone can have it open but hidden and not realize it.
Just because someone does something stupid or wrong doesn't mean there shouldn't be a safety feature to help them.
-- Mark Edwards
-- Mark Edwards
-- Brennan Stehling Offwhite.net LLC brennan@offwhite.net
Just my tuppence worth. Sessions expire when there is no activity between the client and the web server for a given session, for the given timeout. In traditional asp, the default was 20 minutes, in Tomcat (Java) it is 30. I'm not sure about PHP.
As someone suggested before, an autosave feature could help with this. If the timeout is 20 minutes, an auto-save (triggered by a javascript timer on the compose page) every 5 minutes, would prompt a client-server communication, and reset the session timeout back to 20 minutes.
I've not looked too closely, but including something like this on the compose page should fix this.
<script> // auto-save the draft every 5 minutes setInterval( "rcmail.command('savedraft','',null)", 5*60*60*1000 ); </script>
Including this on the compose page should fix the timeout when writing an email, but it would still apply everywhere else in RC.
Apologies if this has already been suggested, or is complete bolx
Pixel
On Thu, 7 Sep 2006 23:30:06 -0500, Brennan Stehling brennan@offwhite.net wrote:
That is exactly right. And beyond timing out during an email composition, in Firefox once it kicks you out to that page you cannot simply go back and copy the text you were writing. The timeout may be set to 20 minutes, but should work as a sliding window which is extended each time you take an action.
And you can monitor if someone is pressing the keys while in the composition window. Activity during composition should slide the window.
Brennan
On Thu, 7 Sep 2006 20:12:36 -0600, Eric Stadtherr estadtherr@gmail.com wrote:
Forgive me if I'm stating the obvious, but it seems like the debate is centering around the question of, "Is the timeout useful?" This seems like a completely different question from "Why is my session expiring even though I'm actively using RoundCube?" If the session management were working correctly, the sessions wouldn't be timing out during message composition and we wouldn't be discussing the first question at all.
Am I missing something?
On Sep 7, 2006, at 7:37 PM, Sergio A. Kessler wrote:
it seems gmail does the rigth thing.
but, by far, the most common scenario is a writed lost mail because of a session timeout, and this is happening to a lot of people (as you can see), just because someone want to help an *eventual* and *hipotetical* stupid user that maybe forgot to close the mail...
On 9/7/06, Mark Edwards mark@antsclimbtree.com wrote:
I don't see how this kind of attitude can possibly help Roundcube.
Squirrelmail has a timeout, as does Webmin, Cacti, and nearly every other web interface that has a login.
I am amazed that this is even an issue.
I agree that the timeout needs to not threaten the usability of the app, and that needs discussion, but saying "screw people if they don't log out" is ridiculous for an application that is supposed to offer a user-friendly interface for novices to use their email.
On Sep 7, 2006, at 5:24 PM, Sergio A. Kessler wrote:
and how do you stop people from doing stupids things ? and where do you draw the line ?
I mean, if I delete an important file or mail and clean the trash, how do you stop me ?
shit happens, anyway...
and doing something that affect to 99% of the people in a bad way, just because we want to "help" a stupid that forget to close the
in a *public* computer, is nonsense IMO...
btw, someone knows how does gmail or hotmail manage this ?
On 9/7/06, Mark Edwards mark@antsclimbtree.com wrote:
On Sep 7, 2006, at 4:26 PM, Martin Marques wrote:
> Closing the navegator SHOULD kill the session, AFAIK. > > So, the only reason I see is if you leave the web browser open.
Why is that not a good enough reason for a timeout safety feature? Someone can have it open but hidden and not realize it.
Just because someone does something stupid or wrong doesn't mean there shouldn't be a safety feature to help them.
-- Mark Edwards
-- Mark Edwards
Helllooo?
What's this discussion all about? RoundCube has a session timeout for security reasons, which can be turned off by configuration. Please, no more discussion about advantages and disadvantages of session timeouts or about intelligent and stupid users!
Fact is, RoundCube has an ugly bug which needs to be fixed. I also spent some time to find out how this can happen (even if I can't reproduce any session failures here).
As far as I can see, the session timeout (the time that can be configured) isn't the reason for this RoundCube bug. Even if you set the session timeout to 10 minutes, it should not really time out because the client sends a keep alive signal every minute.
In 0.1-beta2 I removed the _auth hash from every URL and introduced a second cookie which changes it's value every five minutes. The problem of the session authorization failures could be related to this. This second cookie is here to prevent from stealing somebody's session by reading the session cookie.
A session failure could occur if a request (like draft saving [btw. yes, we already have an automatic draft saving mechanism!]) takes a lot of time. In that case, the cookie could be switched to a new value but the HTTP header has not been sent to the client yet. If the keep-alive request is sent in the meantime, it arrives with the "old" cookie value which will cause RoundCube to deny the request and send a redirect to the login screen.
With revision 338 I added some fall back for checking this changing session cookie. There's also a log file (log/timeouts) that will be filled with $_REQUEST and $_SESSION values if the session authorization (not session timeout) fails.
Please get the latest trunk and test it.
Thomas
On Thu, 7 Sep 2006, Mark Edwards wrote:
On Sep 7, 2006, at 4:26 PM, Martin Marques wrote:
Closing the navegator SHOULD kill the session, AFAIK.
So, the only reason I see is if you leave the web browser open.
Why is that not a good enough reason for a timeout safety feature? Someone can have it open but hidden and not realize it.
I didn't say it wasn't a good reason, I'm just looking at the posible causes of a RC missuse.
-- 21:50:04 up 2 days, 9:07, 0 users, load average: 0.92, 0.37, 0.18
Lic. Martín Marqués | SELECT 'mmarques' || Centro de Telemática | '@' || 'unl.edu.ar'; Universidad Nacional | DBA, Programador, del Litoral | Administrador
On Thu, 7 Sep 2006, Sergio A. Kessler wrote:
btw, someone knows how does gmail or hotmail manage this ?
Now, this is an interesting point.
-- 21:50:04 up 2 days, 9:07, 0 users, load average: 0.92, 0.37, 0.18
Lic. Martín Marqués | SELECT 'mmarques' || Centro de Telemática | '@' || 'unl.edu.ar'; Universidad Nacional | DBA, Programador, del Litoral | Administrador
yes, you are missing the fact that sooner or later, you will be writing a long (or interrupted) email (there is no activity other than typing here) and when you hit send, b00m, the email is lost...
it happens with squirrell also...
now, sorry for the noise, I will disable the session timeout...
On 9/7/06, Eric Stadtherr estadtherr@gmail.com wrote:
Forgive me if I'm stating the obvious, but it seems like the debate is centering around the question of, "Is the timeout useful?" This seems like a completely different question from "Why is my session expiring even though I'm actively using RoundCube?" If the session management were working correctly, the sessions wouldn't be timing out during message composition and we wouldn't be discussing the first question at all.
Am I missing something?
On Sep 7, 2006, at 7:37 PM, Sergio A. Kessler wrote:
it seems gmail does the rigth thing.
but, by far, the most common scenario is a writed lost mail because of a session timeout, and this is happening to a lot of people (as you can see), just because someone want to help an *eventual* and *hipotetical* stupid user that maybe forgot to close the mail...
On 9/7/06, Mark Edwards mark@antsclimbtree.com wrote:
I don't see how this kind of attitude can possibly help Roundcube.
Squirrelmail has a timeout, as does Webmin, Cacti, and nearly every other web interface that has a login.
I am amazed that this is even an issue.
I agree that the timeout needs to not threaten the usability of the app, and that needs discussion, but saying "screw people if they don't log out" is ridiculous for an application that is supposed to offer a user-friendly interface for novices to use their email.
On Sep 7, 2006, at 5:24 PM, Sergio A. Kessler wrote:
and how do you stop people from doing stupids things ? and where do you draw the line ?
I mean, if I delete an important file or mail and clean the trash, how do you stop me ?
shit happens, anyway...
and doing something that affect to 99% of the people in a bad way, just because we want to "help" a stupid that forget to close the
in a *public* computer, is nonsense IMO...
btw, someone knows how does gmail or hotmail manage this ?
On 9/7/06, Mark Edwards mark@antsclimbtree.com wrote:
On Sep 7, 2006, at 4:26 PM, Martin Marques wrote:
Closing the navegator SHOULD kill the session, AFAIK.
So, the only reason I see is if you leave the web browser open.
Why is that not a good enough reason for a timeout safety feature? Someone can have it open but hidden and not realize it.
Just because someone does something stupid or wrong doesn't mean there shouldn't be a safety feature to help them.
-- Mark Edwards
-- Mark Edwards
On Fri, 8 Sep 2006, Sergio A. Kessler wrote:
yes, you are missing the fact that sooner or later, you will be writing a long (or interrupted) email (there is no activity other than typing here) and when you hit send, b00m, the email is lost...
Not really Sergio, there is activity. The "save to drafts" which happens every n minutes (5 I think, but am not sure).
-- 21:50:04 up 2 days, 9:07, 0 users, load average: 0.92, 0.37, 0.18
Lic. Martín Marqués | SELECT 'mmarques' || Centro de Telemática | '@' || 'unl.edu.ar'; Universidad Nacional | DBA, Programador, del Litoral | Administrador
On Fri, 8 Sep 2006, Thomas Bruederli wrote:
What's this discussion all about? RoundCube has a session timeout for security reasons, which can be turned off by configuration. Please, no more discussion about advantages and disadvantages of session timeouts or about intelligent and stupid users!
How can it be turned off? I remember you saying that $rcmail_config['session_lifetime'] = false disables it, but someone some doubts about that.
A session failure could occur if a request (like draft saving [btw. yes, we already have an automatic draft saving mechanism!]) takes a lot of time. In that case, the cookie could be switched to a new value but the HTTP header has not been sent to the client yet. If the keep-alive request is sent in the meantime, it arrives with the "old" cookie value which will cause RoundCube to deny the request and send a redirect to the login screen.
Besides the draft saving, could this also happen when deleting lots of mails, one at a time? Like hitting constantly the delete botton?
With revision 338 I added some fall back for checking this changing session cookie. There's also a log file (log/timeouts) that will be filled with $_REQUEST and $_SESSION values if the session authorization (not session timeout) fails.
Just updated and configured the main.inc.php. I'll test it and send feed back.
-- 21:50:04 up 2 days, 9:07, 0 users, load average: 0.92, 0.37, 0.18
Lic. Martín Marqués | SELECT 'mmarques' || Centro de Telemática | '@' || 'unl.edu.ar'; Universidad Nacional | DBA, Programador, del Litoral | Administrador
Martin Marques wrote:
On Fri, 8 Sep 2006, Thomas Bruederli wrote:
What's this discussion all about? RoundCube has a session timeout for security reasons, which can be turned off by configuration. Please, no more discussion about advantages and disadvantages of session timeouts or about intelligent and stupid users!
How can it be turned off? I remember you saying that $rcmail_config['session_lifetime'] = false disables it, but someone some doubts about that.
Trust me, you can. But this setting isn't the reason for the session problems anyway.
A session failure could occur if a request (like draft saving [btw. yes, we already have an automatic draft saving mechanism!]) takes a lot of time. In that case, the cookie could be switched to a new value but the HTTP header has not been sent to the client yet. If the keep-alive request is sent in the meantime, it arrives with the "old" cookie value which will cause RoundCube to deny the request and send a redirect to the login screen.
Besides the draft saving, could this also happen when deleting lots of mails, one at a time? Like hitting constantly the delete botton?
Could be. It actually can happen when there are concurrent requests and one of them gets a new cookie value. To prevent problems here, the "old" cookie will still be accepted as well in revision 338.
Beside the draft saving, the client will still send the keep alive requests while composing a message. I can leave Roundcube open in compose mode for hours and my session does not time out.
~Thomas
When the user's browser is visiting the "compose" page, the keepalive is active. This keepalive resets the session timeout timer every minute. Therefore, it shouldn't matter how long it takes you to compose a message; it should not time out.
On Fri, 8 Sep 2006 09:17:31 -0300, "Sergio A. Kessler" sergiokessler@gmail.com wrote:
yes, you are missing the fact that sooner or later, you will be writing a long (or interrupted) email (there is no activity other than typing here) and when you hit send, b00m, the email is lost...
it happens with squirrell also...
now, sorry for the noise, I will disable the session timeout...
On 9/7/06, Eric Stadtherr estadtherr@gmail.com wrote:
Forgive me if I'm stating the obvious, but it seems like the debate is centering around the question of, "Is the timeout useful?" This seems like a completely different question from "Why is my session expiring even though I'm actively using RoundCube?" If the session management were working correctly, the sessions wouldn't be timing out during message composition and we wouldn't be discussing the first question at all.
Am I missing something?
On Sep 7, 2006, at 7:37 PM, Sergio A. Kessler wrote:
it seems gmail does the rigth thing.
but, by far, the most common scenario is a writed lost mail because of a session timeout, and this is happening to a lot of people (as you can see), just because someone want to help an *eventual* and *hipotetical* stupid user that maybe forgot to close the mail...
On 9/7/06, Mark Edwards mark@antsclimbtree.com wrote:
I don't see how this kind of attitude can possibly help Roundcube.
Squirrelmail has a timeout, as does Webmin, Cacti, and nearly every other web interface that has a login.
I am amazed that this is even an issue.
I agree that the timeout needs to not threaten the usability of the app, and that needs discussion, but saying "screw people if they don't log out" is ridiculous for an application that is supposed to offer a user-friendly interface for novices to use their email.
On Sep 7, 2006, at 5:24 PM, Sergio A. Kessler wrote:
and how do you stop people from doing stupids things ? and where do you draw the line ?
I mean, if I delete an important file or mail and clean the trash, how do you stop me ?
shit happens, anyway...
and doing something that affect to 99% of the people in a bad way, just because we want to "help" a stupid that forget to close the
in a *public* computer, is nonsense IMO...
btw, someone knows how does gmail or hotmail manage this ?
On 9/7/06, Mark Edwards mark@antsclimbtree.com wrote:
On Sep 7, 2006, at 4:26 PM, Martin Marques wrote:
> Closing the navegator SHOULD kill the session, AFAIK. > > So, the only reason I see is if you leave the web browser open.
Why is that not a good enough reason for a timeout safety feature? Someone can have it open but hidden and not realize it.
Just because someone does something stupid or wrong doesn't mean there shouldn't be a safety feature to help them.
-- Mark Edwards
-- Mark Edwards
--
<p> <font size="0">--</font> </p> <p> <font size="3"><strong>Eric Stadtherr</strong></font> </p> <p> <a href="mailto:estadtherr@gmail.com">estadtherr@gmail.com</a> </p>