[horde] We cannot verify that this request was really sent by you.
Beth Halsema
bhalsema at purdue.edu
Fri Mar 20 17:39:59 UTC 2009
Our group is currently experimenting with the Horde Groupware Webmail
Edition (version 1.2.2) and session handling, using Memcached
(version 1.2.6). We are using the imp module to authenticate.
One of the requirements for our installation is that idle sessions
ultimately expire.
During several experiments and searching the mailing list archives,
I verified that the Horde Memcache session handler no longer includes
the "lifetime" information in the Memcached dialogue.
http://cvs.horde.org/co.php/framework/SessionHandler/SessionHandler/memcache.php?r=1.23.
In a post from Michael Slusarz, he mentioned other functionality that
is provided via the Memcache Session Handler, so I decided to experiment
with it (version 2.2.5). I have modified the /etc/php.ini and other
PHP configuration files as well as changed the Horde configuration to use
the default PHP session handler (Memcache).
My initial experiments are quite promising. The PHP variable
'session.gc_maxlifetime' is being used to enforce garbage collection.
So, idle sessions are expiring. Yes!
All seems to wonderfully operate until I attempt to log out. If I click
on "Mail" (or one of the other applications) in the sidebar and then the
"Log out" icon at the top of the frame, then it logs out.
However, if I click on "Log out" in the sidebar, then I receive the error:
We cannot verify that this request was really sent by you. It could
be a malicious request. If you intended to perform this action,
you can retry it now.
The URL shown at the time that the error message is displayed is:
https://hostname/login.php?horde_logout_token=<tokenstring>=horde&logout_reason=logout
If I modify the URL to be
https://hostname/imp/login.php?horde_logout_token=<tokenstring>=horde&logout_reason=logout
then it works.
Steve Devine mentioned in a previous post (10/14/2008 post) something along
these lines. The line that is responsible for the error message is in
the "horde/lib/Horde.php" file and function, checkRequestToken. There is
also a bug ticket
http://bugs.horde.org/ticket/7931
that appears to describe quite well what I am experiencing, but it is listed
as Resolved. The only difference in my setup from that which is posted in
the ticket is that I am not using the MySQL session handler.
Please note, this behavior was not seen when I was using the Horde
Memcache session handler. However, I also didn't have idle sessions
expiring, which is necessary in our setup. So, using the Horde Memcache
session handler appears to not be an option.
My expertise is not in the area of web-based applications and definitely
not PHP, so if I am missing something obvious, I REALLY appreciate any
guidance into what I have overlooked or misunderstood. Otherwise...help?
:)
Thank you in advance,
Beth
-------------------------------------------------------------------------
Beth A. Halsema Sr. Network Analyst/Engineer
Utility Software Services email:bhalsema at purdue.edu
OVPIT - IT Infrastructure
401 S. Grant St. phone:(765)496-7456
West Lafayette, Indiana 47907-2024 fax :(765)494-0566
More information about the horde
mailing list