From: Casey A. S. <cshobe@AixOS.net> - 2000-11-21 20:51:59
|
Okay, since everyone on IRC seems to like telling me that I'm "off topic" and then ignore everything I say, I'll post this here: Bug: I login in one browser window, then login as somebody else in another browser window, well, somebody else isn't logged in as themselves, they are logged in as me, or whomever else happens to be logged in. I've also witnessed this happening across several different computers. This is fucking important, and I really do not appreciate the attitude that is being taken towards it (Oh you're off topic, we'll just ignore it). I'm sorry that you seem to view my attempts to help as bullshit, and only hope that others on this list care enough about squirrelmail to fix it, or at least provide a suggestion to track down why. Squirrelmail, 20 November 2000: Unable to send mail from any current non- windows browser. Unable to securely access mail from any browser. Completely worthless. Unless that changes soon, I will not continue running it on my server, as right now it is just a security hole. I really like the interface, and want it to succeed, but if everyone is going to have a nasty attitude towards people when they try to help, then it never will. -- Casey Allen Shobe cs...@ai... http://aixos.net **Using AixOS.net Webmail Interface** |
From: Jason M. <ja...@pa...> - 2000-11-21 21:26:36
|
> Bug: I login in one browser window, then login as somebody else in another > browser window, well, somebody else isn't logged in as themselves, they are > logged in as me, or whomever else happens to be logged in. I've also > witnessed this happening across several different computers. I don't believe this is a bug actually. PHP handles session variable as cookies. What it sounds like it happening is that since you're just launching a new window of the browser, it's still reading the original cookie information from your previous login session. This is how any session handler works in any web language I've worked in before. If you logout and log back in as someone else, you should in as the new user. In addition, if you close the browser and re-open it, if you log in you'll be in as a new user. If this is what's happening to you, it's not a bug in squirrelmail, but a simple limitation of HTTP. > Squirrelmail, 20 November 2000: Unable to send mail from any current non- > windows browser. What non-windows browser are you using? I use SM with Netscape 4.75 and Mozilla M18 every day with no problem from a Linux workstation. It also works with the Linux version of Netscape 6. Are you using another browser? > Unable to securely access mail from any browser. > Completely worthless. By securely access mail are you referring to SSL? I'll be glad to help you, just don't swear up and down the list. It's impolite and inappropriate. -- Jason McCormick |
From: Lewis B. <lbe...@ab...> - 2000-11-21 22:05:58
|
My opinions are strictly my own and not that of anyone else having anything to do with SquirrelMail. Cursing. Although definately effective in showing your frustration, this probably won't accomplish the desired result. On Tue, 21 Nov 2000, you wrote: > Okay, since everyone on IRC seems to like telling me that I'm "off topic" > and then ignore everything I say, I'll post this here: > hmmm.... If I remember right this was only because it was in the middle of a thread not on the subject. We were stepping through tasks. > Bug: I login in one browser window, then login as somebody else in another > browser window, well, somebody else isn't logged in as themselves, they are > logged in as me, or whomever else happens to be logged in. I've also > witnessed this happening across several different computers. > This is confusing, but probably only because I am only as intelligent as the average Florida voter. Please go through the steps to recreate the problem step by step and submit a bug report to sourceforge. Include anything you might think is relevent. Too much info is better than not enough. > This is fucking important, and I really do not appreciate the attitude that > is being taken towards it (Oh you're off topic, we'll just ignore it). I'm > sorry that you seem to view my attempts to help as bullshit, and only hope > that others on this list care enough about squirrelmail to fix it, or at > least provide a suggestion to track down why. > Again, Due to your colorful language I am apt to leap into motion, furiously coding to correct all issues. Really, we know thousands of people use this software. I am sure that you are more important than all of them but please try to remain calm. Attitude? What attitude? Ohhhh, the attitude that comes from all those developers slaving away on a project of their on free will, giving away the source code, continually working to improve it, help install it, then getting cursed at. NOW I know what attitude you are talking about. Help with the project from anyone has never been veiwed as bovine excrement as far as I know. We all care deeply about the project, just ask our wives and girlfriends. > Squirrelmail, 20 November 2000: Unable to send mail from any current non- > windows browser. Unable to securely access mail from any browser. > Completely worthless. > What? I use NS4.76 from Linux. I don't own a window or a browser that is thrown through one. Mine works as I expect it to. Are you going for SSL here? If so. I thought the download attachments thing was worked out. Please be more specific. As far as worthless. Worth less than what? I got mine free, what did you pay for yours? > Unless that changes soon, I will not continue running it on my server, as > right now it is just a security hole. I really like the interface, and > want it to succeed, but if everyone is going to have a nasty attitude > towards people when they try to help, then it never will. Oooowwww! That hurt. There goes my commission for every server running SquirrelMa...., HEY! Wait a minute. Nobody gets paid for this stuff!? And if you thought all of this was a nasty attitude you should try being cursed at. It really hits my feelings. NOT! Really, I have waxed childish for a few minutes. I hope you got a laugh out of it rather than be further enraged. That is how it was intended. But honestly, is this type of discussion really going to further the development of the source or just take up BW? -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602 915-695-6962 |
From: Ondrej S. <on...@gl...> - 2000-11-22 09:20:47
|
"Casey Allen Shobe" <cs...@ai...> writes: > Okay, since everyone on IRC seems to like telling me that I'm "off topic" > and then ignore everything I say, I'll post this here: Maybe it is because you _are_ off topic. See below. > Bug: I login in one browser window, then login as somebody else in another > browser window, well, somebody else isn't logged in as themselves, they are > logged in as me, or whomever else happens to be logged in. I've also > witnessed this happening across several different computers. This is not bug in squirrelmail, maybe you should try to configure your php so it doesn't store session information in cookies (RTFM of PHP). > This is fucking important, and I really do not appreciate the attitude that > is being taken towards it (Oh you're off topic, we'll just ignore it). I'm > sorry that you seem to view my attempts to help as bullshit, and only hope > that others on this list care enough about squirrelmail to fix it, or at > least provide a suggestion to track down why. If your wordlist was same as in this mail, you shouldn't be surprised that everybody had ignored you. > Squirrelmail, 20 November 2000: Unable to send mail from any current non- > windows browser. What does browser has to do with sending emails? I use Netscape 4.75 and Mozilla M18 without a glitch of problem. > Unable to securely access mail from any browser. Try to spell after me: SSL. (http://www.openssl.org/) You couldn't make web ap. secure without support of low lever layer of TCP/IP comm. > Unless that changes soon, I will not continue running it on my server, as > right now it is just a security hole. I really like the interface, and > want it to succeed, but if everyone is going to have a nasty attitude > towards people when they try to help, then it never will. Again if the people trying to help are pain in a**, then you shouldn't be surprised. -- Ondřej Surý <on...@gl...> Globe Internet s.r.o. http://globe.cz/ Tel: +420235365000 Fax: +420235365009 Pláničkova 1, 162 00 Praha 6 Mob: +420602667702 ICQ: 24944126 Mapa: http://globe.namape.cz/ GPG fingerprint: CC91 8F02 8CDE 911A 933F AE52 F4E6 6A7C C20D F273 |
From: Tyler A. <ty...@bo...> - 2000-11-22 16:29:49
|
> Bug: I login in one browser window, then login as somebody else in > another browser window, well, somebody else isn't logged in as > themselves, they are logged in as me, or whomever else happens to be > logged in. I've also witnessed this happening across several different > computers. I know that this has been touched on previously, but hopefully I'll offer new information for you. I am currently writing a web-based classroom package. It is using PHP and sessions. I also use cookies, and found that they conflict with SquirrelMail. I changed the name of my cookies, but I am debating removal of them altogether. I already have cookie detection code, and I could just remove that code altogether and just set up PHP so that cookies for sessions are never used. This triggered me thinking about SquirrelMail 2.0 - I was wondering if we could have a server option to not use cookies and just rewrite links. It would be VERY easy if we had a function to build the link for us. That function could do this: function MakeLink($targetFile, $Desc, $Parameters = '', $LinkTarget = '') { echo "<a href=\"$targetFile"; if (! $use_cookies || ! $browser_uses_cookies) { if ($Parameters != '') $Parameters .= '&'; $Parameters .= urlencode(session_name()) . '=' . urlencode(session_id()); } if ($Parameters) echo "?$Parameters"; echo "\"; if ($LinkTarget != '') echo " target=\"$LinkTarget\""; echo ">$Desc</a>"; } If nobody made links directly, but instead used something like the above function to write every link, then we wouldn't have a problem anymore. I think that you can configure PHP to do the same, but I am not sure as to how complete that solution would be and if it would catch all links. Would it also catch forms? I didn't read the PHP manual on that in depth yet, but I'm planning on looking into it. Of course, this would take a major rewrite for lots of the code, so it probably shouldn't be attempted until 2.0. It could solve the problem with people logging in as different usernames with multiple windows of the same browser. It does work well, and I use something very similar to this function for all the links in my web-based classroom software. -- Tyler Akins ty...@bo... |
From: Siraj 'S. R. <si...@mi...> - 2000-11-22 17:16:37
|
> Of course, this would take a major rewrite for lots of the code, so it > probably shouldn't be attempted until 2.0. It could solve the problem > with people logging in as different usernames with multiple windows of > the same browser. I quite like this "bug" though... Some people don't care if two users are logged into the same machine/browser instance at the same time I think, or in fact, might want that to happen. I was tempted to write "It's a feature! Not a bug!" (well I just did, hah! :-). Regards, Sid PS. I am not sure it was appropriate to send to the list, but as this conversation is being held here, and not squirrelmail-list, I sent it anyway. |
From: Luke E. <leh...@cs...> - 2000-11-22 19:15:21
|
Tyler, That is a VERY great idea.. With this, we are cutting the requirements of SquirrelMail down even further. No need for cookies, or javascript. Just a SIMPLE html viewing browser (depending on what template you are using), and that's it. A very good idea, and I think we should be sure to use this in 2.0. Luke On Wed, 22 Nov 2000, Tyler Akins wrote: > > Bug: I login in one browser window, then login as somebody else in > > another browser window, well, somebody else isn't logged in as > > themselves, they are logged in as me, or whomever else happens to be > > logged in. I've also witnessed this happening across several different > > computers. > > I know that this has been touched on previously, but hopefully I'll offer new information for you. > > I am currently writing a web-based classroom package. It is using PHP and sessions. I also use cookies, and found that they conflict with SquirrelMail. I changed the name of my cookies, but I am debating removal of them altogether. I already have cookie detection code, and I could just remove that code altogether and just set up PHP so that cookies for sessions are never used. > > This triggered me thinking about SquirrelMail 2.0 - I was wondering if we could have a server option to not use cookies and just rewrite links. It would be VERY easy if we had a function to build the link for us. That function could do this: > > function MakeLink($targetFile, $Desc, $Parameters = '', $LinkTarget = '') > { > echo "<a href=\"$targetFile"; > if (! $use_cookies || ! $browser_uses_cookies) > { > if ($Parameters != '') > $Parameters .= '&'; > $Parameters .= urlencode(session_name()) . '=' . > urlencode(session_id()); > } > if ($Parameters) > echo "?$Parameters"; > echo "\"; > if ($LinkTarget != '') > echo " target=\"$LinkTarget\""; > echo ">$Desc</a>"; > } > > If nobody made links directly, but instead used something like the above function to write every link, then we wouldn't have a problem anymore. I think that you can configure PHP to do the same, but I am not sure as to how complete that solution would be and if it would catch all links. Would it also catch forms? I didn't read the PHP manual on that in depth yet, but I'm planning on looking into it. > > Of course, this would take a major rewrite for lots of the code, so it probably shouldn't be attempted until 2.0. It could solve the problem with people logging in as different usernames with multiple windows of the same browser. > > It does work well, and I use something very similar to this function for all the links in my web-based classroom software. > > _ . . Luke Ehresman - "Codito, ergo sum" / v \ leh...@cs... /( )\ http://www.css.tayloru.edu/~lehresma ^^ ^^ |
From: Stefan S. <st...@se...> - 2000-11-22 19:49:08
|
Hi, why not use php 4 stuff for session handling with it´s full set of functions ? from php-doc : <A HREF="nextpage.php?<?=SID?>">click here</A> this sets the session as ? get parameter. In forms you can deliver a hidden field with the name of the session id and as value of course the sid. If you don´t wan´t to use cookies with php4 sessions just configure php4 via php.ini not to do so. it will use these get/post vars instead. Regards Stefan Sels > Tyler, > > That is a VERY great idea.. With this, we are cutting the requirements > of SquirrelMail down even further. No need for cookies, or javascript. > Just a SIMPLE html viewing browser (depending on what template you are > using), and that's it. A very good idea, and I think we should be sure > to use this in 2.0. > > Luke > > On Wed, 22 Nov 2000, Tyler Akins wrote: > >> > Bug: I login in one browser window, then login as somebody else in >> > another browser window, well, somebody else isn't logged in as >> > themselves, they are logged in as me, or whomever else happens to >> > be logged in. I've also witnessed this happening across several >> > different computers. >> >> I know that this has been touched on previously, but hopefully I'll >> offer new information for you. >> >> I am currently writing a web-based classroom package. It is using PHP >> and sessions. I also use cookies, and found that they conflict with >> SquirrelMail. I changed the name of my cookies, but I am debating >> removal of them altogether. I already have cookie detection code, and >> I could just remove that code altogether and just set up PHP so that >> cookies for sessions are never used. >> >> This triggered me thinking about SquirrelMail 2.0 - I was wondering if >> we could have a server option to not use cookies and just rewrite >> links. It would be VERY easy if we had a function to build the link >> for us. That function could do this: >> >> function MakeLink($targetFile, $Desc, $Parameters = '', $LinkTarget = >> '') { >> echo "<a href=\"$targetFile"; >> if (! $use_cookies || ! $browser_uses_cookies) >> { >> if ($Parameters != '') >> $Parameters .= '&'; >> $Parameters .= urlencode(session_name()) . '=' . >> urlencode(session_id()); >> } >> if ($Parameters) >> echo "?$Parameters"; >> echo "\"; >> if ($LinkTarget != '') >> echo " target=\"$LinkTarget\""; >> echo ">$Desc</a>"; >> } >> >> If nobody made links directly, but instead used something like the >> above function to write every link, then we wouldn't have a problem >> anymore. I think that you can configure PHP to do the same, but I am >> not sure as to how complete that solution would be and if it would >> catch all links. Would it also catch forms? I didn't read the PHP >> manual on that in depth yet, but I'm planning on looking into it. >> >> Of course, this would take a major rewrite for lots of the code, so it >> probably shouldn't be attempted until 2.0. It could solve the problem >> with people logging in as different usernames with multiple windows of >> the same browser. >> >> It does work well, and I use something very similar to this function >> for all the links in my web-based classroom software. >> >> > > _ > . . Luke Ehresman - "Codito, ergo sum" > / v \ leh...@cs... > /( )\ http://www.css.tayloru.edu/~lehresma > ^^ ^^ -- MfG Stefan Sels --- Discordian Quote for the picosecond: Jesus loves you. Everyone else thinks you're an asshole. |
From: Luke E. <leh...@cs...> - 2000-11-22 21:32:01
|
When using PHP4's link rewriting functionality, I've never really had that much luck. It has often mangled my links, especially if I'm passing a lot of parameters through GET. I think that Tyler's method of sending all links through a link-writer would be the best way. This way, cookies can be a conf.pl configuration option. If they choose yes, we don't include the PHPSESSID in the link. If they choose not to use cookies, then we DO include the session id. Luke On Wed, 22 Nov 2000, Stefan Sels wrote: > Hi, > > why not use php 4 stuff for session handling with it´s full set of > functions ? > from php-doc : > <A HREF="nextpage.php?<?=SID?>">click here</A> this sets the session as ? > get parameter. > > In forms you can deliver a hidden field with the name of the session id and > as value of course the sid. > > If you don´t wan´t to use cookies with php4 sessions just configure php4 > via php.ini not to do so. it will use these get/post vars instead. > > Regards > Stefan Sels > > > Tyler, > > > > That is a VERY great idea.. With this, we are cutting the requirements > > of SquirrelMail down even further. No need for cookies, or javascript. > > Just a SIMPLE html viewing browser (depending on what template you are > > using), and that's it. A very good idea, and I think we should be sure > > to use this in 2.0. > > > > Luke > > > > On Wed, 22 Nov 2000, Tyler Akins wrote: > > > >> > Bug: I login in one browser window, then login as somebody else in > >> > another browser window, well, somebody else isn't logged in as > >> > themselves, they are logged in as me, or whomever else happens to > >> > be logged in. I've also witnessed this happening across several > >> > different computers. > >> > >> I know that this has been touched on previously, but hopefully I'll > >> offer new information for you. > >> > >> I am currently writing a web-based classroom package. It is using PHP > >> and sessions. I also use cookies, and found that they conflict with > >> SquirrelMail. I changed the name of my cookies, but I am debating > >> removal of them altogether. I already have cookie detection code, and > >> I could just remove that code altogether and just set up PHP so that > >> cookies for sessions are never used. > >> > >> This triggered me thinking about SquirrelMail 2.0 - I was wondering if > >> we could have a server option to not use cookies and just rewrite > >> links. It would be VERY easy if we had a function to build the link > >> for us. That function could do this: > >> > >> function MakeLink($targetFile, $Desc, $Parameters = '', $LinkTarget = > >> '') { > >> echo "<a href=\"$targetFile"; > >> if (! $use_cookies || ! $browser_uses_cookies) > >> { > >> if ($Parameters != '') > >> $Parameters .= '&'; > >> $Parameters .= urlencode(session_name()) . '=' . > >> urlencode(session_id()); > >> } > >> if ($Parameters) > >> echo "?$Parameters"; > >> echo "\"; > >> if ($LinkTarget != '') > >> echo " target=\"$LinkTarget\""; > >> echo ">$Desc</a>"; > >> } > >> > >> If nobody made links directly, but instead used something like the > >> above function to write every link, then we wouldn't have a problem > >> anymore. I think that you can configure PHP to do the same, but I am > >> not sure as to how complete that solution would be and if it would > >> catch all links. Would it also catch forms? I didn't read the PHP > >> manual on that in depth yet, but I'm planning on looking into it. > >> > >> Of course, this would take a major rewrite for lots of the code, so it > >> probably shouldn't be attempted until 2.0. It could solve the problem > >> with people logging in as different usernames with multiple windows of > >> the same browser. > >> > >> It does work well, and I use something very similar to this function > >> for all the links in my web-based classroom software. > >> > >> > > > > _ > > . . Luke Ehresman - "Codito, ergo sum" > > / v \ leh...@cs... > > /( )\ http://www.css.tayloru.edu/~lehresma > > ^^ ^^ > > > _ . . Luke Ehresman - "Codito, ergo sum" / v \ leh...@cs... /( )\ http://www.css.tayloru.edu/~lehresma ^^ ^^ |