[imp] Users getting other users' login (session)?
S. Joyce
sjlist@heidelberg.edu
Wed, 04 Sep 2002 08:12:14 -0400
---------------------- multipart/alternative attachment
Greetings. A few weeks ago, there was a similar thread on this issue. I didn't see a resolution, and I've searched the list archives but am not finding information that seems germane to our instance. Randomly, and infrequently, it seems, users are able to access another user's log in and email account.
Situation: one of my more astute faculty members reports for his students:
>I have had students using IMP inadvertently log into one another's accounts, without using (or even knowing) the other people's passwords or usernames. This happened both Friday and today. The same two computers were involved, but in neither case had the students ever used the other computer (my first question to them). What is more, all the computers in the room had been completely powered off over the weekend....
>
>On Friday, it was only a matter of one student logging into the IMP system and then the other student, when he opened the browser (without yet logging into anything) having the first student's IMP account appear on his screen. We logged him out and thought that was strange but just an anomaly.
>
>Today, both students--sitting at the same computers--had each other's accounts show up on the screen. As we were marveling over this, a third student--across the room from them--opened her browser and got one of the first two students' IMP accounts. What is more, when she logged out of that account, that student was also logged out of his account on his machine.
In this particular instance, the clients were using IE 6 on Windows 2000. I doubt that's related, but I suppose it could be a browser issue with the session id. Another report, even more recent:
>....a woman opened the browser to IMP and was automatically logged in as another student in the class (who happened to be logged in at that time). These folks have not used the machines where their logins and passwords are appearing.
To me, this sounds like a duplicate sessions issue. I'm no PHP sessions expert, but we seem to have pretty much standard session settings in php.ini:
session.cookie_lifetime 0 (the default)
session.gc_maxlifetime 1440 (the default)
session.gc_probability 10 (up from 1--wanted more frequent clean up)
session.save_handler files (the default)
Has anyone else experienced the same problems? Horde 2.1, Turba 2.1, IMP 3.1, Apache 1.3.23, with PHP 4.1.2. Using Solaris 7 and UW IMAP. No LDAP, standard UNIX shadow passwords. PHP session data is being written directly to files (the default), and not to any database.
TIA for any suggestions you can offer. It is of course bad PR to get someone else's email without effort. BTW, although I'm reporting a problem, kudos once again to Chuck et. al. for a terrific product. It gets raves here.
Sean
sjlist@heidelberg.edu
---------------------- multipart/alternative attachment
<html>
Greetings. A few weeks ago, there was a similar thread on this
issue. I didn't see a resolution, and I've searched the list
archives but am not finding information that seems germane to our
instance. Randomly, and infrequently, it seems, users are able to
access another user's log in and email account.<br><br>
Situation: one of my more astute faculty members reports for his
students:<br><br>
<blockquote type=cite class=cite cite>I have had students using IMP
inadvertently log into one another's accounts, without using (or even
knowing) the other people's passwords or
usernames.<font color="#FF0000"> </font>This happened both Friday
and today. The same two computers were involved, but in neither
case had the students ever used the other computer (my first question to
them). What is more, all the computers in the room had been completely
powered off over the weekend....<br><br>
On Friday, it was only a matter of one student logging into the IMP
system and then the other student, when he opened the browser (without
yet logging into anything) having the first student's IMP account appear
on his screen. We logged him out and thought that was strange but just an
anomaly. <br><br>
Today, both students--sitting at the same computers--had each other's
accounts show up on the screen. As we were marveling over this, a third
student--across the room from them--opened her browser and got one of the
first two students' IMP accounts. What is more, when she logged out of
that account, that student was also logged out of his account on his
machine.</blockquote><br>
In this particular instance, the clients were using IE 6 on Windows
2000. I doubt that's related, but I suppose it could be a browser
issue with the session id. Another report, even more
recent:<br><br>
<blockquote type=cite class=cite cite>....a woman opened the browser to
IMP and was automatically logged in as another student in the class (who
happened to be logged in at that time). These folks have not used
the machines where their logins and passwords are appearing.
</blockquote><br>
To me, this sounds like a duplicate sessions issue. I'm no PHP
sessions expert, but we seem to have pretty much standard session
settings in php.ini:<br><br>
<x-tab> </x-tab>session.cookie_lifetime<x-tab> </x-tab><x-tab> </x-tab>0<x-tab> </x-tab>(the
default)<br>
<x-tab> </x-tab>session.gc_maxlifetime<x-tab> </x-tab><x-tab> </x-tab>1440
<x-tab> </x-tab>(the default)<br>
<x-tab> </x-tab>session.gc_probability<x-tab> </x-tab><x-tab> </x-tab>10<x-tab> </x-tab>(up
from 1--wanted more frequent clean up)<br>
<x-tab> </x-tab>session.save_handler<x-tab> </x-tab><x-tab> </x-tab>files<x-tab> </x-tab>(the
default)<br><br>
Has anyone else experienced the same problems? Horde 2.1, Turba
2.1, IMP 3.1, Apache 1.3.23, with PHP 4.1.2. Using Solaris 7 and UW
IMAP. No LDAP, standard UNIX shadow passwords. PHP session
data is being written directly to files (the default), and not to any
database.<br><br>
TIA for any suggestions you can offer. It is of course bad PR to
get someone else's email without effort. BTW, although I'm
reporting a problem, kudos once again to Chuck et. al. for a terrific
product. It gets raves here.<br><br>
<br>
Sean<br>
sjlist@heidelberg.edu</html>
---------------------- multipart/alternative attachment--