[Tickets #3386] logouts due to imp_key cookie timeouts.
bugs@bugs.horde.org
bugs at bugs.horde.org
Tue Feb 28 10:14:27 PST 2006
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/?id=3386
-----------------------------------------------------------------------
Ticket | 3386
Updated By | Michael Slusarz <slusarz at mail.curecanti.org>
Summary | logouts due to imp_key cookie timeouts.
Queue | Horde Framework Packages
Version | HEAD
State | Assigned
Priority | 3. High
Type | Bug
Owners | Horde Developers
-----------------------------------------------------------------------
Michael Slusarz <slusarz at mail.curecanti.org> (2006-02-28 10:14) wrote:
> we're using horde 3.0.5, imp 4.0.4, turba 2.0.4, and ingo 1.0.2 for
> webmail, and running into a variety of cases where users are logged
> out prematurely.
>
> we've tracked one of these cases to imp_key cookies timing out before
> the Horde session cookie. when this happens, decryption of
> $_SESSION['imp']['pass'] results in garbage, IMAP login fails, and
> the user gets punted back to the login screen with a "Login failed"
> error. we also get some interesting log entries (appended below).
>
> one obvious reason why this can happen is that the imp_key cookie is
> set on the login screen, but the Horde cookie is reset (in
> lib/Horde.php) after login. if the browser sits at the login screen
> for a while (e.g. machines in a lab), the imp_key and Horde cookie
> expirations may get quite out of sync.
I've implemented some code (currently only in HEAD) to deal with this - the
code has been cleaned up somewhat from what you submitted. See:
http://lists.horde.org/archives/cvs/Week-of-Mon-20060227/055354.html
Could you see if this works for you?
More information about the bugs
mailing list