Am 22.04.2012 20:54, schrieb Reindl Harald:
Am 22.04.2012 20:46, schrieb Michael Heydekamp:
Also here I should note again that we have the compose_newwindow plugin 3.00 installed and activated. No idea, if this might be part of the issue.
if you have the option to disable this it would be a good idea yeah plugins generally can do any damage
Sure, I can disable it any minute (the option is user-configurable anyway, but I can also disable the plugin completely), but as I'm also heavily USING Roundcube myself, it's a bit inconvenient as I need to have access to my message base while composing a message (looking things up here and there).
But well, I can also read the message in a new window and reply from there
- dunno if that will make a difference, but at least the plugin would be
disabled then. Ok, will try that.
But given the fact that the InPrivate mode of IE did not make the symptom appear yet, we (or more the core devs) should turn their focus in this direction.
this might be only what you see but not the root cause
See my previous message - as the problem did now appear after my latest post in IE's InPrivate mode as well, we have to drop this theory anyway.
Apparently I was somehow mislead by the fact that I could load RC in InPrivate mode, but not in a new tab of the initial IE window/session/instance. But the reason that I could load it in InPrivate mode was not the mode itself, but just the fact that a new window/session/instance of IE was started.
protecting sessions from hijacking by remember the user-agent at start and abort each request with the same session ID and a different user-agent is common sense and some implementations are also including the client IP
Didn't know that. But how can a different user on a different machine have the same session ID (if not by random)? Is there any way to a) get hold of the ID of any other user's session, and b) to take influence on his own session ID in a way that he would identify himself with the same ID?
but - using the client IP is braindead these days seeing imap users on mobile devices chaging their IP all day long and kill them the web-application because they switched the mobile-cell is not a good idea
Right.
Michael Heydekamp Co-Admin freexp.de Düsseldorf/Germany