FW: [imp] User accessing other's session without login

Patterson, S R S.R.Patterson@soton.ac.uk
Mon, 21 May 2001 10:04:13 +0100 

Hi,

Please read the message below, sent to the list in February.  Brent
suggested I upgrade horde and imp which I did, I'm now on horde 1.2.4
(below it should have read 1.2.0-pre12 of course!) and imp 2.2.4.
I've also upgraded to php-4.0.4pl1.  We have also added two further
sites, totalling four.  One of these is MS-Exchange IMAP interface and
one is an unknown imapd.  We're now seeing ~2000 unique users per day
(totalling many more sessions!) of ~5500 unique users in total out of
a potential userbase of 30,000.

The problem persists, over the past week I've had two reports of
people going to the IMP URL and immediately being presented with the
mailbox of another user with no login needed.  I'm going to do some
digging and investigating today but I thought I'd flag this for your
attention and see if anybody has an immediate answer.

Steve
-- 
Steven Patterson, MSci ----------------------------------------------+
|       Electronic Information Systems Support and Development       |
|         Computing Services, University of Southampton, UK.         |
+-------------------------------------------- Tel: +44 (0) 2380 595810
......                                                          ......
..     These words are not my own they only come when I'm alone     ..
......                                                          ......


-----Original Message-----
From: Steven Patterson [mailto:S.R.Patterson@soton.ac.uk] 
Sent: 12 February 2001 10:09
To: imp@lists.horde.org
Subject: [imp] User accessing other's session without login


I've looked for this in the bugs database but can't find a sign of
it...

We have had some reports of a user connecting to our IMP url only to
find
they are at the folder list of another user without any need to login.
Naturally this is concerning!  I can only assume it is something to do
with
session ids being duplicated.  Is anybody aware of this and is there a
fix
available?

Details:

imp 2.2.0-pre12 on horde 1.2.9-pre12
apache 1.3.12 running php3-5horde7, mod_ssl 2.6.2-1.3.12 plus openssl
0.9.5
Washington Imapd 4.7c2
Two sites configured, the localhost imapd and a remote imap server,
version
unknown.
Hardware is a Sun Enterprise 250 running Solaris 7, dual 400Mhz
processors,
2Gig ram, ATM.
We have approximately 1500 unique users per day on average (peaking at
2000
per day with about 5000 unique active users in total and a total of
~30000
email addresses registered) and at peak times we get about 30 lines
per
second in apache's access_log and up to 2-3 imap logins per second
(according to process accounting data).

Thanks, Steve
--
Steven Patterson, MSci ----------------------------------------------+
|       Electronic Information Systems Support and Development       |
|         Computing Services, University of Southampton, UK.         |
+-------------------------------------------- Tel: +44 (0) 2380 595810
......                                                          ......
..     These words are not my own they only come when I'm alone     ..
......                                                          ......


-- 
IMP mailing list: http://horde.org/imp/
Frequently Asked Questions: http://horde.org/faq/
To unsubscribe, mail: imp-unsubscribe@lists.horde.org