[Tickets #3386] NEW: logouts due to imp_key cookie timeouts.

bugs@bugs.horde.org bugs at bugs.horde.org
Wed Feb 1 19:14:36 PST 2006 

DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/?id=3386
-----------------------------------------------------------------------
 Ticket             | 3386
 Created By         | mike.ryan at tufts.edu
 Summary            | logouts due to imp_key cookie timeouts.
 Queue              | Horde Framework Packages
 Version            | FRAMEWORK_3
 State              | Unconfirmed
 Priority           | 1. Low
 Type               | Bug
 Owners             | 
+New Attachment     | horde.patch
-----------------------------------------------------------------------


mike.ryan at tufts.edu (2006-02-01 19:14) wrote:

we're using horde 3.0.5, imp 4.0.4, turba 2.0.4, and ingo 1.0.2 for webmail,
and running into a variety of cases where users are logged out prematurely.

we've tracked one of these cases to imp_key cookies timing out before the
Horde session cookie.  when this happens, decryption of
$_SESSION['imp']['pass'] results in garbage, IMAP login fails, and the user
gets punted back to the login screen with a "Login failed" error.  we also
get some interesting log entries (appended below).

one obvious reason why this can happen is that the imp_key cookie is set on
the login screen, but the Horde cookie is reset (in lib/Horde.php) after
login.  if the browser sits at the login screen for a while (e.g. machines
in a lab), the imp_key and Horde cookie expirations may get quite out of
sync.

the attached patch extends all *_key cookies when the Horde cookie gets
reset if $conf['session']['timeout'] is non-zero.  this may not be the best
solution, but it seems to work for me.

Jan 31 15:59:10 pitchblende.usg.tufts.edu HORDE[21748]: [ID 800047
local4.error] [imp] FAILED LOGIN 130.64.202.238 to
imap.tufts.edu:993[imap/ssl] as mryan01 [on line 237 of
"/usr/local/apache/htdocs/horde/imp/lib/Auth/imp.php"]
Jan 31 15:59:10 pitchblende.usg.tufts.edu
ZZZZZZ*\217<CC>\204\204\204ZZZZ[21748]: [ID 800047 local4.notice] PHP
Notice:  (null)(): Authentication failed (errflg=1) in Unknown on line 0
Jan 31 15:59:10 pitchblende.usg.tufts.edu last message repeated 2 times
Jan 31 15:59:10 pitchblende.usg.tufts.edu
ZZZZZZ*\217<CC>\204\204\204ZZZZ[21748]: [ID 800047 local4.notice] PHP
Notice:  (null)(): Too many login failures (errflg=2) in Unknown on line 0

More information about the bugs mailing list