[SM-DEVEL] Recovering Interrupted Messages from session time outs

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

I've created a partial solution plugin/code hack that will allow one to
capture submitted messages from a person whose session has expired. It's
very experimental. This functionality is implemented in a very poor way,
requiring an insertion of a few lines in functions/auth.php. I'm hoping
that someone can improve this plugin/code hack and eventually get an
option to have this enabled or disabled in squirrelmail's future releases.

What I have:

This plugin/code hack is called msg_recover or message recover. When a
person submits form data to src/compose.php, the post variable 'send' is
set, and their session is inactive/timed out this kicks in and saves the
message to the user data directory as '$username.msg'. From here the
person clicks on the link to login again. When they login the
'right_main_after_header' hook kicks in to display a form that has been
saved. his form displays a button with the text 'Recover Interrrupted
Message' that they can click on to continue the composition or sending of
the message. If they don't click on this button, the message just sits
there until they do. When they click on it, it submits to the composition
page and populates To, CC, BCC, Subject and body.When src/compose.php is
executing the 'compose_form' kicks in to delete the stored form on the
server.

What I'd like to see:
 It would be nice if this could be modified so that when ever a person
logged in after a session time out and an attempt to send a message, they
would instead go directly back into the composition form with their
message waiting.

Problems with this:
There are definite problems with this implementation.

One could easily spoof post data to create a msg and the system would
store. Possibly a scripting attack from remote user.

You have to define in the file plugins/msg_recover/setup.php what the
$data_dir on your server is instead of just pulling it from the config
file. It has to do with not being able to access this information from
when your session times out.

And finally you have to hack up functions/auth.php to make it this thing
work at all. You have to insert two lines after the comment around line 48
to 50. Not good having to modify actual source and not doing it strictly
as a plugin.

What do you guys think? A tar file is attached for review. For the most
part you treat it like a plugin with a few exceptions. You have to define
what the $data_dir really is on your system in msg_recover/setup.php. You
also have to insert the following 2 lines into the file
functions/auth.php.

------auth.php insertion after comment starting on line 48--------
require_once(SM_PATH . 'plugins/msg_recover/setup.php');
msg_recover_store();
------------------------------------------------------------------

Thank you,

Walker Wheeler
==========================================
fx...@ua...
907.474.7173
University of Alaska Fairbanks
Division of Computing and Communication
Systems Programmer
==========================================