[imp] Users still getting into other users' mailboxes at login

James Moore jmoore at thebank.com
Mon Jul 14 12:50:42 PDT 2003 

	We were having problems with users getting into other people's
mailboxes at login, as has been reported elsewhere.  We made all the
following changes to our PHP setup, as was recommended in the
discussions:

php.ini:
session.use_cookies 1
session.use_trans_sid 0
session.entropy_file /dev/urandom
session.entropy_length 64

Other session-related settings are as follows:
/etc/php.ini:
session.gc_maxlifetime = 1440
session.gc_probability = 1
session.save_handler = file
session.save_path = /var/www/tmp

horde.php:
$conf['session_name'] = 'Horde';
$conf['cache_limiter'] = 'nocache';
$conf['session_timeout'] = 0;

We are running the following packages and versions:
	Production		Test
Horde	2.2.1			2.2.3
IMP 	3.1			3.2.1 
Turba 	1.1 			1.2

Our webserver uses Redhat 7.3, Apache 1.3.27, PHP v. 4.1.2

	We already know that sessions are being created and garbage-collected
as one would expect from these configuration settings.  After making the
changes, we went for about 3 months while without further reports of
people getting into others' mailboxes at login.  
	Recently, however, we were informed by a user that she has been getting
into one other user's mailbox occasionally over the last month.  She
manages to do this using AOL's browser. Every time it happens, she gets
into the mailbox without having to attempt a login, and always into the
mailbox of the same user.  Have not been able to find out from the
"victim" user how she is invoking the IMP site, or whether she disabled
cookies in her browser.
	In a potentially related issue, we are not able to stop session ids
from being passed in the URI, regardless of how browsers are configured
(Mozilla 1.2.1, IE 6.0, Netscape 4.7x, 7.x).  This goes for both the
production and test sites, the only difference being that on the
production site, the session ID appears in the URI prior to a successful
login, and on the test site it appears only after a successful login.
	I have followed all the threads addressing these issues, and at every
point they come to an end without a satisfactory resolution.  I have a
simple question:  Has anyone found a verified fix, and if not, when is
someone going to put some time into finding one?

Sincerely,
Jim Moore

-- 
James J. Moore, Network Administrator
Citizens National Bank
245 Pittsburgh Road
Butler, PA  16001
Phone: 724-214-6205	Fax: 724-283-9235

More information about the imp mailing list