[imp] Very alarming/strange login problems - user logs in
tosomeone else's session
William Tucker
wtucker at mail.ucf.edu
Mon Feb 3 10:48:08 PST 2003
Well, after about 5 days of thinking that the /dev/urandom patch had fixed the problem, unfortunately it happened again this morning. user1 logged in with her correct username/password and found herself right in the middle of another user's session. My previous report is below. The only thing that has now changed is that I now have the /dev/random and /dev/urandom devices, and these two settings in php.ini:
session.entropy_length = 32
session.entropy_file = /dev/urandom
I have verified that /dev/urandom spits out random stuff, I don't know how else to check it. :)
Thanks,
William Tucker
-----
From: "William Tucker" <wtucker at mail.ucf.edu>
To: <imp at lists.horde.org>
Date: 1/28/03 2:15PM
Subject: [imp] Very alarming/strange login problems - user logs in to someoneelse's session
horde 2.1, imp 3.1, apache 1.3.27, php 4.1.2, UW imap IMAP4rev1 2002.334, solaris 8
On to the problem. This is taking place on a high load (40K users) mail/web server. When a certain user logs in, she finds herself in the middle of someone else's session.. here are some log snippets (logins/IPs changed):
Jan 27 19:46:42 HORDE [notice] [imp] Login success for user1 [1.1.1.1] to {pegasus.cc.ucf.edu:143} [on line 51 of "/web/horde_2/imp/redirect.php"]
Jan 27 19:48:12 HORDE [notice] [imp] Logout for user1 [2.2.2.2] from {pegasus.cc.ucf.edu:143} [on line 72 of "/web/horde_2/imp/login.php"]
Jan 27 19:48:22 HORDE [notice] [imp] Login success for user2 [2.2.2.2] to {pegasus.cc.ucf.edu:143} [on line 51 of "/web/horde_2/imp/redirect.php"]
Jan 27 19:48:33 HORDE [notice] [imp] Logout for user2 [2.2.2.2] from {pegasus.cc.ucf.edu:143} [on line 72 of "/web/horde_2/imp/login.php"]
user1 is on 1.1.1.1, and user2 is on 2.2.2.2.
When user2 logs in, she finds herself in the middle of user1's session, and has to log out of that session. It seems that user1 is not logging out, and is only closing their browser. Has anyone else seen this behavior?
user1 is not the same username every time, but user2 is the only person complaining of this behavior.
My php.ini settings for sessions are:
session.save_handler = files
session.save_path = /tmp
session.use_cookies = 1
session.name = HORDE
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /webmail
session.cookie_domain =
session.serialize_handler = php
session.gc_probability = 1
session.gc_maxlifetime = 1440
session.referer_check =
session.entropy_length = 0
session.entropy_file =
;session.entropy_length = 16
;session.entropy_file = /dev/urandom
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 1
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"
And I am sure that the cookie_path matches up. Any suggestions at all would be very appreciated.
Thanks in advance,
William Tucker
More information about the imp
mailing list