Chris Richardson wrote:
in regards to the browsers ie is the most used brower and some of us
dont have a choice we are required to use it for work. also opera also
does the same thing as he stated.
Brett Patterson - Roundcube Forum Admin wrote:
[EMAIL PROTECTED] wrote:
That should be "index.php" not "login.php" of course. :)
On May 31, 2006, at 8:40 AM, [EMAIL PROTECTED] wrote:
I didn't see it listed in the trac Tickets, but I wanted to see if
this was a bug.
Login into Roundcube, and then leave by visiting another site,
closing the window, etc. Now return to the main Roundcube index
(e.g. www.domain.com/webmail). You'll see "Your session is
invalid", even though your session is only seconds/minutes old, and
you'll need to re-login.
I found that this error was being produced from "login.php", at
line 174:
if ($_auth !== $sess_auth
Because "$_auth" has no value, set on line 92:
$_auth = get_input_value('_auth', RCUBE_INPUT_GPC);
Which looks for an "_auth" cookie, which never exists.
I fixed this by setting the "_auth" cookie when the session is
created. Added at line 101 in "program/include/main.inc":
setcookie("_auth",$sess_auth);
Is this OK? Would it be better to remove the "$_auth !==
$sess_auth" test altogether? (everything seemed to work when I did
that, since "sess_auth" is used where important?).
Rich
It should not be removed. It's a security check. What if you got up
and left and someone went back in your history and tried to log into
your email. What if roundcube didn't check the session? Would you
really want /anyone/ to be able to see/send email from your account?
I think it should be left in. If you don't want to leave the webmail
system, get a real browser like Firefox/Opera and don't use IE.
i was referring to tabbed browsing ;)
--
~ Brett Patterson ~
Roundcube Forum Admin
www.roundcubeforum.net
