#108 correct password - login fails

open
nobody
None
5
2005-11-29
2005-11-29
Anonymous
No

I'm receiving reports from my users that they often
can't login, even they are sure that the password is
correct. I've experienced the issue myself - I login,
then two frames appear and in the right frame I'm told
to login again. The password *is* correct. IMAP server
log says that the login failed due to password being
blank. Second login works usually fine, but not always.
One user said he tried 12 times before he was able to
enter webmail.

Unfortunately I can't be more specific, as I have no
idea where the problem can be. The issue happens from
time to time and seems to be quite random.

I'm running HEAD (as of 2005-11-27) on PHP 4.4.1
(FastCGI). IMAP server is Courier IMAP with
up-imapproxy between SquirrelMail and Courier.

Discussion

  • Tomas Kuliavas
    Tomas Kuliavas
    2005-11-29

    • milestone: 241848 -->
     
  • Tomas Kuliavas
    Tomas Kuliavas
    2005-11-29

    Logged In: YES
    user_id=225877

    SquirrelMail 1.5.1cvs contains some changes in cookie
    management. Please provide more information about your setup
    in order to diagnose your problem.

    We need information about used browsers and php session
    extension configuration.

     
  • Santyaga_ru_RU
    Santyaga_ru_RU
    2006-03-29

    Logged In: YES
    user_id=1456625

    I also have this problem, before i think it because
    incorrectly tuned up Cyrus+SASL(LDAP)+SM1.5.+imapproxy scope
    (all services is local, LDAP is replica db).
    But when imapproxy turned off this error continue appears.
    testsaslauth -u user -p pass -R 100000 has gone without
    errors even I set cachetime of sasl on 1 sec. LDAP server
    was tested in all possible ways (samba, squid, ssh and
    another services uses LDAP and have not any troubles)
    First of all this error appears on Mozilla in Linux on my
    colleague's computer. I'll try get Mozilla conf. later. But
    also this error was noticed on Firefox on Windows and Linux
    but more rarely. Firefox with standart config.

    Also i noticed, that if retrieveuserdata plugin is on, this
    error appears more frequently. I tried analysing slapd.log
    with other log but cann't found significant difference
    between successful login and unsuccessful (where and why bug
    appears).
    I think it because incorrect LDAP query, but cann't find
    where, too much queryes at all I cann't stop em, and analyze
    only SM->SASL->LDAP->imapproxy->Cyrus queryes.
    I cannt attach SM and php.ini, I didn't see button for this
    ;). If you tell me how to do it, I'll do. If you needed
    something else just say... Apache ver is 2.0.55-r1, PHP ver
    is 5.1.2 it attached to apache as mod (apache start with -D
    PHP5)
    Without retrieveuserdata plugin this error appear but very
    rarely.

    PS. PHP have an extention PECL-apc. I don't test work
    without it.
    PSS. Sorry for my English.

     
  • Santyaga_ru_RU
    Santyaga_ru_RU
    2006-05-16

    Logged In: YES
    user_id=1456625

    I solve this problem.
    It occurs when string in $key variable (which later place in
    cookie by this code sqsetcookie('key', $key, false,
    $base_uri)) contain "+" sign. For ex. I print some keys:
    +3jB0U86
    HtUC9+oJ
    They correctly set in browser, but in some moment "+" sign
    converts in " " (space), so system fails...
    Now I solve this problem in this way:

    --- auth.php.old
    +++ auth.php.new
    @@ -142,9 +142,11 @@
    function sqauth_save_password($pass) {
    sqgetGlobalVar('base_uri', $base_uri, SQ_SESSION);

    + do {
    $onetimepad = OneTimePadCreate(strlen($pass));
    - sqsession_register($onetimepad,'onetimepad');
    $key = OneTimePadEncrypt($pass, $onetimepad);
    + } while (strpos($key, "+"));
    + sqsession_register($onetimepad,'onetimepad');
    sqsetcookie('key', $key, false, $base_uri);
    return $key;
    }

    --- redirect.php.old
    +++ redirect.php.new
    @@ -70,8 +70,10 @@
    if (!sqsession_is_registered('user_is_logged_in')) {
    do_hook ('login_before');

    + do {
    $onetimepad = OneTimePadCreate(strlen($secretkey));
    $key = OneTimePadEncrypt($secretkey, $onetimepad);
    + } while (strpos($key, "+"));
    sqsession_register($onetimepad, 'onetimepad');

    /* remove redundant spaces */

    That is, while key string has "+" sign, it regenerate...
    I'll try to find why "+" sign change on space, if I will
    found some time ;)

    WBR,
    Santyaga_RU

     
  • Santyaga_ru_RU
    Santyaga_ru_RU
    2006-05-16

    Logged In: YES
    user_id=1456625

    Sorry some addition:
    all while expression rewrite in this way:
    while (strpos($key, "+") !== false);