#86 multiple logins at once, identity problems

[Miha Verlic]

If I open two or more tabs in mozilla, and login to
several different usernames at once, squirrelmail seems
to mix up their identities... ie: I send mail from
second account in second window, but it seems like mail
is sent from first one (based on from: field). This is
probably cookie related.

You can easily reproduce this, by setting multiple
identities to one of the account. Then simply login to
both accounts at once, and click compose in both
windows - you'll see that squirrelmail will use compose
info from first account.

Tested with squirrelmail 1.2.11 and 1.4.0 RC2a, under
apache & php 4.2.3 & 4.3.1, with mozilla 1.2.1

--Miha

[Thijs Kinkhorst]

Logged In: YES
user_id=285765

Maybe include the username in the cookiename?
In stead of SQMSESSION use SQMSESSION_kink ?

[Jonathan Angliss]

Logged In: YES
user_id=620333

I'm trying to work out a possible solution with this problem
at the moment. Thanks for reporting it. kink, if using
username in session, how do you propose we find the session
details?

[Thijs Kinkhorst]

Logged In: YES
user_id=285765

I admit, stupid suggestion, never mind me %-)

[Thijs Kinkhorst]

Logged In: YES
user_id=285765

I think that if you're opening two accounts from the same
browser, you can hardly expect that to go right. Jon, do you
have a solution for this problem in sight?

[Jonathan Angliss]

Logged In: YES
user_id=620333

Not likely in the near 1.2 or 1.4 branch... maybe if I get a
while, I can sit and hack apart the pages... but would take
a lot of work... And it is likely to break a lot of plugins
at the same time. It is on the books as a major fix thing
for 1.5 as we'll be able to seriously bash the code apart
then as it is devel :)

I'll have to see if I can do some major work in 1.2, and 1.4
to see how workable it is.

[Micah Morton]

Logged In: YES
user_id=682070

Is this something that can be tested simply by specifying
that with conf.pl? like SQMSESSION_$username ?? seems like
that might work, maybe I'll give that a whack. Also.. FYI:
I can reproduce this without a hitch on the same browser NOT
at the same time. Let me know if you would like me to try
more things with this. I am willing and able.

I have gotten this in both 1.2.11 as well as 1.4.0 stable.

I too agree that this is cookie related.

How about flushing any existing cookie upon redirect.php
signing somebody in. Right before the cookie is inserted,
just do a quick flush.

Thanks,
Micah

[Jonathan Angliss]

Logged In: YES
user_id=620333

If the session name is setup like that, how do you work out
the session name? $username is stored in the session, so
you have to start it to fetch it. My plan was the session
id in the URL. It's all in my plans ;)

As for the cookie being destroyed on redirect, they should
in fact be being killed on the login page, so if you go to
the login page, it should kill the session.