[imp] Fix for broken SQL session handlers since IMP 3.2.2

Wed Aug 11 20:36:57 PDT 2004

Hi.

A while back I ran into an (apparently well known) problem.  When 
upgrading from IMP 3.2.1 to IMP 3.2.2: SQL session handlers broke.

Basically, the problem was that you could not log in using SQL session 
handlers in IMP 3.2.2, even though the IMAP server logs show IMP 
connecting successfully.

You can see more details of this problem here:

http://marc.theaimsgroup.com/?l=imp&m=107781309022151&w=2
http://marc.theaimsgroup.com/?l=imp&m=106910608323916&w=2

I have finally gotten some time to look at this and I have figured out 
what is causing this.

In IMP 3.2.2, the following change was made to redirect.php:

-------
@@ -77,6 +77,15 @@
      if (!Horde::getFormData('mailbox')) {
          $_POST['mailbox'] = 'INBOX';
      }
+
+    /* Destroy any existing session on login and make sure to use
+       a new session ID, to avoid session fixation issues.
+       This requires Horde 2.2.4 or higher. */
+    if (in_array('getcleansession', get_class_methods('Horde')) &&
+        ($registry->getMethod('auth/login') == 'imp')) {
+        Horde::getCleanSession();
+    }
+
      if (($reason = IMP::createSession()) === true) {
          $imp['_login'] = true;
          $entry = sprintf('Login success for %s [%s] to {%s:%s}', 
$imp['uniquser'], $_SERVER['REMOTE_ADDR'], $imp['server'], $imp['port']);
-------

Apparently, this is the change that breaks SQL session handlers.  If I 
remove the lines that were added in IMP 3.2.2, (the getCleanSession() 
call), then everything works perfectly.

I dont know enough about the logic as to why this change was made in IMP 
3.2.2, and I dont know why it breaks SQL sessions.  But if I remove the 
getCleanSession() call, it fixes the problem.

I have updated all the way to IMP 3.2.5 and it works perfectly if I 
remove the getCleanSession() call.  If I put the getCleanSession() call 
back in, logins fail once again.

I would really like to see this get fixed in the next IMP release. What 
I do not know, is if simply removing the getCleanSession() call is the 
appropriate thing to do.  I assume there is a reason it was added in IMP 
3.2.2 :).  If removing it is not the right solution, then someone please 
feel free to point me in the right direction :).

Let me know there is anything I can do to help get this fixed in the 
next IMP release.  For now, we are removing the getCleanSession() call 
from our copy of IMP.

Regards,
Michael Schout
GKG.NET, Inc.
