User accessing other's session without login

Steven Patterson S.R.Patterson@soton.ac.uk
Mon, 12 Feb 2001 10:08:35 -0000


I've looked for this in the bugs database but can't find a sign of it...

We have had some reports of a user connecting to our IMP url only to find
they are at the folder list of another user without any need to login.
Naturally this is concerning!  I can only assume it is something to do with
session ids being duplicated.  Is anybody aware of this and is there a fix
available?

Details:

imp 2.2.0-pre12 on horde 1.2.9-pre12
apache 1.3.12 running php3-5horde7, mod_ssl 2.6.2-1.3.12 plus openssl 0.9.5
Washington Imapd 4.7c2
Two sites configured, the localhost imapd and a remote imap server, version
unknown.
Hardware is a Sun Enterprise 250 running Solaris 7, dual 400Mhz processors,
2Gig ram, ATM.
We have approximately 1500 unique users per day on average (peaking at 2000
per day with about 5000 unique active users in total and a total of ~30000
email addresses registered) and at peak times we get about 30 lines per
second in apache's access_log and up to 2-3 imap logins per second
(according to process accounting data).

Thanks, Steve
--
Steven Patterson, MSci ----------------------------------------------+
|       Electronic Information Systems Support and Development       |
|         Computing Services, University of Southampton, UK.         |
+-------------------------------------------- Tel: +44 (0) 2380 595810
......                                                          ......
..     These words are not my own they only come when I'm alone     ..
......                                                          ......