[Tickets #11570] Session without cookies: Re-login fails

bugs at horde.org bugs at horde.org
Mon Oct 22 13:58:19 UTC 2012 

DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/11570
------------------------------------------------------------------------------
  Ticket             | 11570
  Created By         | Thomas Jarosch <thomas.jarosch at intra2net.com>
  Summary            | Session without cookies: Re-login fails
  Queue              | Horde Framework Packages
  Version            | Git master
  Type               | Bug
  State              | Unconfirmed
  Priority           | 1. Low
  Milestone          |
  Patch              |
  Owners             |
------------------------------------------------------------------------------


Thomas Jarosch <thomas.jarosch at intra2net.com> (2012-10-22 13:58) wrote:

Hi,

when using sessions without cookies and having different IP addresses  
for the horde installation and the IMAP server, I cannot reuse the PHP  
session after a logout.

I've enabled the "debug" and "debug_raw" option in  
imp/config/backends.php so see what's going on.

This small tweak is applied to the code to log the IMAP password:
--- a/framework/Imap_Client/lib/Horde/Imap/Client/Socket.php
+++ b/framework/Imap_Client/lib/Horde/Imap/Client/Socket.php
@@ -610,7 +610,7 @@ class Horde_Imap_Client_Socket extends  
Horde_Imap_Client_Base
                  new  
Horde_Imap_Client_Data_Format_Astring($this->getParam('password'))
              ));
              $this->_sendLine($cmd, array(
-                'debug' => sprintf('[LOGIN Command - username: %s]',  
$this->_params['username'])
+                'debug' => sprintf('[LOGIN Command - username: %s,  
password: "%s"]', $this->_params['username'],  
$this->getParam('password'))
              ));
              break;


Some more info:
[root at intranator]# grep auth horde/config/conf.php
$conf['auth']['admins'] = array('admin');
$conf['auth']['checkip'] = true;
$conf['auth']['checkbrowser'] = true;
$conf['auth']['resetpassword'] = true;
$conf['auth']['alternate_login'] = false;
$conf['auth']['redirect_on_logout'] = false;
$conf['auth']['list_users'] = 'list';
$conf['auth']['params']['hostspec'] = '192.168.122.254';
$conf['auth']['params']['port'] = 143;
$conf['auth']['params']['secure'] = 'none';
$conf['auth']['driver'] = 'imap';
$conf['auth']['params']['count_bad_logins'] = false;
$conf['auth']['params']['login_block'] = false;
$conf['auth']['params']['login_block_count'] = 5;
$conf['auth']['params']['login_block_time'] = 5;



Analyzing at the IMAP debug output, I can see that  
"$this->getParam('password')" is empty when trying to reuse the  
session ID.

-> The login screen somehow fails to set the "new" password or some  
kind of other magic resets it. When using sessions with cookies,  
re-login works fine.


Cheers,
Thomas

More information about the bugs mailing list