From: Daniel W. <d...@ni...> - 2007-10-30 17:48:02
|
[sorry if this is a repost - i didn't think the first one sent] > Dear Dev team, > > Currently the 'you must be logged in to view this page' message is the > bane of our existence. We receive more issues about this than all other > issues put together. > > Various things conspire to produce this - seemly corrupted cookies (ie > clearing them fixes the problem), antivirus / firewalls that seem to > block cookies etc. > > Sometimes the login will actually get through to webmail.php, load the 3 > frames (with preview pane) and then outrageously show the 'You must be > logged in' error in all 3 frames! > > Is squirrelmail particularly sensitive to cookie issues? I've never > experienced these kinds of problems with the public systems. > > Of course the issue may be our end with our session management but our > other webpages seem to operate fine without sessions / cookies being > lost willy-nilly. > > Particularly the corrupted cookie issue sounds like something > squirrelmail should be able to take care of by completely clearing all > existing cookie records upon login. Having users manually delete old > cookies browser-side is hard work. > > Not sure what I'm asking specifically here - may be I just want to check > if we alone are experiencing these issues? > I have a clue about this. I think a plugin or some kind of function tries to access a file or folder incorrectly. This is caught by the index.php which redirects the user to login.php. login.php kills the session! So the next action the user does is greeted with 'you must be logged in'. How big a problem is it if I stop login.php from killing the session? How exactly would that be used to compromise (or otherwise accidentally break) an account? Daniel |