From: Daniel W. <d...@ni...> - 2007-05-31 16:20:44
|
Firstly - I notice that Jonathan was working on this back in 2003 so I know this has been discussed before. Did it get anywhere or fall by the wayside? Certainly one of the top problems with our users accessing webmail is to do with browser privacy settings or other software (eg anti-virus / firewall) blocking cookies. Is there any way to have squirrelmail detect when a browser isn't going to play with cookies and then switch to, if necessary, 'ugly mode' and work passing the SID in the $GET? Please don't say it's the user's problem as sometimes public/shared computers do not allow you to change security settings. Many users travel and rely on being able to access email from internet cafes. At WORST, the 'You must be logged in' should be replaced with a message such as: "We have detected that your browser is not accepting cookies and as a result webmail was not able to log you in. Please ensure that cookies are allowed both within your browser and within your network and try again" As an example gmail shows: "Your browser's cookie functionality is turned off. Please turn it on." Perhaps with a helpful link to a squirrelmail.org web page about how to change privacy settings for particular browsers / firewalls. Daniel |
From: Thijs K. <ki...@sq...> - 2007-05-31 16:44:19
|
On Thursday 31 May 2007 18:23, Daniel Watts wrote: > Is there any way to have squirrelmail detect when a browser isn't going > to play with cookies and then switch to, if necessary, 'ugly mode' and > work passing the SID in the $GET? Sure that way could exist, but as you might imagine, it would require to pass that SID into *every* produced URL. If Jon or you want to implement that, I see no problem with that being put into the devel tree. It's not a simple task though. > At WORST, the 'You must be logged in' should be replaced with a message > such as: > > "We have detected that your browser is not accepting cookies and as a > result webmail was not able to log you in. Please ensure that cookies > are allowed both within your browser and within your network and try again" > > As an example gmail shows: > "Your browser's cookie functionality is turned off. Please turn it on." Sure, that would be good. Could you please provide a patch for something like this? Thijs |
From: Daniel W. <d...@ni...> - 2007-05-31 17:13:54
|
Thijs Kinkhorst wrote: > On Thursday 31 May 2007 18:23, Daniel Watts wrote: >> Is there any way to have squirrelmail detect when a browser isn't going >> to play with cookies and then switch to, if necessary, 'ugly mode' and >> work passing the SID in the $GET? > > Sure that way could exist, but as you might imagine, it would require to pass > that SID into *every* produced URL. If Jon or you want to implement that, I > see no problem with that being put into the devel tree. It's not a simple > task though. > >> At WORST, the 'You must be logged in' should be replaced with a message >> such as: >> >> "We have detected that your browser is not accepting cookies and as a >> result webmail was not able to log you in. Please ensure that cookies >> are allowed both within your browser and within your network and try again" >> >> As an example gmail shows: >> "Your browser's cookie functionality is turned off. Please turn it on." > > Sure, that would be good. Could you please provide a patch for something like > this? > Just realised we actually have a plugin for this. Have installed it and modified the output to show: ERROR You must be logged in to view this page. If you have attempted to log in, the following may have occurred: Your cookies may have expired. You may have cookies blocked. Your session has expired due to inactivity. You are using privacy protection that may stop cookies from being accessed. Please ENABLE COOKIES [link to:http://www.google.com/cookies.html] and try again. If you still cannot access your account, please do contact support with your browser version and the actions you have tried. Go to the login page This seems an obvious plugin for corification. No? Best wishes, Daniel |
From: Antoine D. <an...@de...> - 2007-05-31 17:57:05
|
Thijs Kinkhorst wrote : > On Thursday 31 May 2007 18:23, Daniel Watts wrote: > >> Is there any way to have squirrelmail detect when a browser isn't going >> to play with cookies and then switch to, if necessary, 'ugly mode' and >> work passing the SID in the $GET? >> > > Sure that way could exist, but as you might imagine, it would require to pass > that SID into *every* produced URL. If Jon or you want to implement that, I > see no problem with that being put into the devel tree. It's not a simple > task though. > A possible workaround for this is to enable session.use_trans_sid in your php.ini, which does just that (it adds the SID string into any URL in your output). (requires PHP >= 4.3) Another, rather easy approach could be to emulate this function, using output buffering. As an option, perhaps ? Remember that a user who didn't logout and destroy his session properly might have his account hijacked, e.g because of a URL with the SID stored in the history. Whereas session cookies are destroyed if the browser window is closed. >> At WORST, the 'You must be logged in' should be replaced with a message >> such as: >> >> "We have detected that your browser is not accepting cookies and as a >> result webmail was not able to log you in. Please ensure that cookies >> are allowed both within your browser and within your network and try again" >> >> As an example gmail shows: >> "Your browser's cookie functionality is turned off. Please turn it on." >> > > Sure, that would be good. Could you please provide a patch for something like > this? > > > Thijs > Regards, Antoine |
From: Tomas K. <to...@us...> - 2007-06-01 05:19:25
|
>>> Is there any way to have squirrelmail detect when a browser isn't going >>> to play with cookies and then switch to, if necessary, 'ugly mode' and >>> work passing the SID in the $GET? >>> >> >> Sure that way could exist, but as you might imagine, it would require to >> pass >> that SID into *every* produced URL. If Jon or you want to implement >> that, I >> see no problem with that being put into the devel tree. It's not a >> simple >> task though. >> > A possible workaround for this is to enable session.use_trans_sid in > your php.ini, which does just that (it adds the SID string into any URL > in your output). (requires PHP >= 4.3) It does not add SID to html meta headers and http redirects. Plus SquirrelMail stores more than session id in cookies. -- Tomas |
From: Jon A. <jo...@sq...> - 2007-06-01 03:07:21
|
Hi Daniel > Firstly - I notice that Jonathan was working on this back in 2003 so I > know this has been discussed before. Did it get anywhere or fall by the > wayside? It's not really fallen by the wayside, I think it's just one of those issues that we really need to understand the impact of. Along with the changing nature of development as it is, I was considering waiting until the templating is finished, or close enough. Templates will break plugins enough as it is, the "get" stuff will break it terribly. > Certainly one of the top problems with our users accessing webmail is to > do with browser privacy settings or other software (eg anti-virus / > firewall) blocking cookies. > Is there any way to have squirrelmail detect when a browser isn't going > to play with cookies and then switch to, if necessary, 'ugly mode' and > work passing the SID in the $GET? There is an issue with an all GET setup for session information. We currently store the users encrypted password in a cookie, with the encryption key in the session. If we move everything to stored in a session, both the password and decryption key, are in the same location. As the encryption algorithm is available in the source, and PHP will allow you to easily open another session from another PHP app, simply by supplying the session id (see php.net/session_id). -- Jon Angliss <jo...@sq... |
From: Tomas K. <to...@us...> - 2007-06-01 12:37:44
|
> Just realised we actually have a plugin for this. Have installed it and > modified the output to show: > > ERROR > You must be logged in to view this page. > If you have attempted to log in, the following may have occurred: > > Your cookies may have expired. > You may have cookies blocked. > Your session has expired due to inactivity. > ... Wrong assumption. By default plugin uses own cookie. sqm_cookie_check cookie does not have expiration date and is not related to session cookies. It is active until browser is closed. If session is expired, you should not see message from plugin. -- Tomas |