Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#486 session.use_cookies = off breaks SquirrelMail

open
nobody
None
5
2006-07-07
2006-07-07
Tomas Kuliavas
No

If session.use_cookies is set to off, SquirrelMail
1.4.7 and 1.5.2cvs logins fail.

Tested:
PHP 4.4.3cvs, 5.1.4, 4.3.10.
session.use_trans_sid = on
session.use_cookies = off

SquirrelMail scripts don't add session id to
redirection headers ('Location: some_url') and <meta>
refresh tags. PHP does not modify them too.

List of known broken scripts:
* src/redirect.php
* src/left_main.php (meta refresh)
* src/compose.php
* squirrelspell plugin (php does not rewrite Javascript
button action)
* src/download.php (See #1514631)

Discussion

  • Tomas Kuliavas
    Tomas Kuliavas
    2006-07-07

    Logged In: YES
    user_id=225877

    Question: should we always add session id or test for
    (!ini_get('session.use_cookies'))

     
  • Logged In: YES
    user_id=285765

    I vote for requiring session.use_cookies, since the
    session.trans_sid option is and has always been an ugly
    kludge; plus we require users to have cookies enabled anyway
    so disabling the session cookie thing is not even useful.

     
  • Tomas Kuliavas
    Tomas Kuliavas
    2006-07-09

    Logged In: YES
    user_id=225877

    ----
    if (!(bool)ini_get('session.use_cookies') ||
    ini_get('session.use_cookies') == 'off') {
    ini_set('session.use_cookies','1');
    }
    ----
    Hack turns on session cookies.

    If we want to make SquirrelMail work with multiple logins in
    one browser, we will need session.use_trans_sid and
    session.use_cookies.

     
  • Tomas Kuliavas
    Tomas Kuliavas
    2006-07-18

    Logged In: YES
    user_id=225877

    Moving to feature requests. SquirrelMail 1.5.2 and 1.4.8
    should not break when session.use_cookies = off. Scripts
    turn session cookies on.

    Feature is needed only for cookieless SquirrelMail.