[Tickets #3386] logouts due to imp_key cookie timeouts.

bugs@bugs.horde.org bugs at bugs.horde.org
Thu Mar 2 14:08:07 PST 2006 

DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/?id=3386
-----------------------------------------------------------------------
 Ticket             | 3386
 Updated By         | mike.ryan at tufts.edu
 Summary            | logouts due to imp_key cookie timeouts.
 Queue              | Horde Framework Packages
 Version            | HEAD
 State              | Feedback
 Priority           | 1. Low
 Type               | Bug
 Owners             | Horde Developers
-----------------------------------------------------------------------


mike.ryan at tufts.edu (2006-03-02 14:08) wrote:

>> another patch to make imp authentication more resilient against
>> disappearing cookies, due to timeouts or browser "quirks".  this will
>> recover the password from the horde credentials if possible, or
>> invalidate the session if the horde credentials can't be decrypted.
>> this gives the user a session error instead of a login error, which
>> may be less alarming, and prevents the failed IMAP login, which takes
>> time (10 to 15 seconds in our case) and leaves ugly log entries both
>> on the horde/imp server and the imap server.
>
> Shouldn't this be fixed with the other commit referenced in this 
> ticket?  the cookies - auth and app specific - are set within 
> microseconds of each other, but cookie expiration are only allowed in 
> seconds so this expiration value should be at most no more than a 
> second different from each other.
>
> this code is also invalid if not using 'hordeauth'.

i think the second patch is unnecessary, yes.  i'd thought we were still
running into cases where cookies were disappearing even with the first patch
in place, but it was very rare, and i was never able to understand what
could have caused it, particularly since the problem seemed to affect only
the *_key cookies (and not Horde cookies).

our environment was pretty dynamic at the time -- we were juggling different
versions and configurations of php and several different debugging patches
to horde/imp at the same time.  i'm content to say i probably wasn't seeing
what i thought i was seeing.

More information about the bugs mailing list