[Tickets #3386] NEW: logouts due to imp_key cookie timeouts.
bugs@bugs.horde.org
bugs at bugs.horde.org
Wed Feb 1 19:14:36 PST 2006
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/?id=3386
-----------------------------------------------------------------------
Ticket | 3386
Created By | mike.ryan at tufts.edu
Summary | logouts due to imp_key cookie timeouts.
Queue | Horde Framework Packages
Version | FRAMEWORK_3
State | Unconfirmed
Priority | 1. Low
Type | Bug
Owners |
+New Attachment | horde.patch
-----------------------------------------------------------------------
mike.ryan at tufts.edu (2006-02-01 19:14) wrote:
we're using horde 3.0.5, imp 4.0.4, turba 2.0.4, and ingo 1.0.2 for webmail,
and running into a variety of cases where users are logged out prematurely.
we've tracked one of these cases to imp_key cookies timing out before the
Horde session cookie. when this happens, decryption of
$_SESSION['imp']['pass'] results in garbage, IMAP login fails, and the user
gets punted back to the login screen with a "Login failed" error. we also
get some interesting log entries (appended below).
one obvious reason why this can happen is that the imp_key cookie is set on
the login screen, but the Horde cookie is reset (in lib/Horde.php) after
login. if the browser sits at the login screen for a while (e.g. machines
in a lab), the imp_key and Horde cookie expirations may get quite out of
sync.
the attached patch extends all *_key cookies when the Horde cookie gets
reset if $conf['session']['timeout'] is non-zero. this may not be the best
solution, but it seems to work for me.
Jan 31 15:59:10 pitchblende.usg.tufts.edu HORDE[21748]: [ID 800047
local4.error] [imp] FAILED LOGIN 130.64.202.238 to
imap.tufts.edu:993[imap/ssl] as mryan01 [on line 237 of
"/usr/local/apache/htdocs/horde/imp/lib/Auth/imp.php"]
Jan 31 15:59:10 pitchblende.usg.tufts.edu
ZZZZZZ*\217<CC>\204\204\204ZZZZ[21748]: [ID 800047 local4.notice] PHP
Notice: (null)(): Authentication failed (errflg=1) in Unknown on line 0
Jan 31 15:59:10 pitchblende.usg.tufts.edu last message repeated 2 times
Jan 31 15:59:10 pitchblende.usg.tufts.edu
ZZZZZZ*\217<CC>\204\204\204ZZZZ[21748]: [ID 800047 local4.notice] PHP
Notice: (null)(): Too many login failures (errflg=2) in Unknown on line 0
More information about the bugs
mailing list