From: Scott H. @ B. P. <Sco...@bu...> - 2003-07-08 17:53:56
|
I don't code, but I'm willing to try this. What file would I put this into- login.php? src/webmail.php? >From: gr...@pr... [mailto:gr...@pr...] > I'm not a php expert but isn't there a > session_cache_limiter(); > function that can be used to stop the browser caching? > > i.e. > > <?php > /* set the cache limiter to 'nocache' */ > session_cache_limiter('nocache'); > session_start(); > ..... > ?> > >> I have just set up our SM server and my boss tried it and he points out if >> someone were using SM at a public terminal, and they didn't log out, but >> just headed to another web site, then the next person in line could >> backpage >> right into their account. He wants a solution to this (and he doesn't >> want >> to put the burden onto the users to be responsible for signing out). Is >> there a way to force an SM user's browser to not cache pages? Or is there >> a >> way to know if a user leaves the SM session, so the cached credentials >> could >> be deleted? Other suggestions? |
From: p d. t. <pdo...@an...> - 2003-08-30 00:10:29
Attachments:
timeout_user-1.2-0.5.tar.gz
|
Oops. Had a minor bug. Attached is a fixed version. Let me know if it works/doesn't work for you. Thanks, Paul > -----Original Message----- > From: p dont think [mailto:pdo...@an...] > Sent: Wednesday, August 27, 2003 5:55 PM > To: 'Scott Henderson'; 'gr...@pr...' > Cc: 'squ...@li...' > Subject: RE: [SM-USERS] How to improve security for SM users > > All, > > Please find attached a new version of the timeout_user plugin. It now > includes functionality that will solve this problem without the need to patch > SquirrelMail. The user *is* allowed to browse back to SquirrelMail within the > defined timeout duration, but after that, they will see the signout screen if > they try to browse back to SM. > > If you don't need the other functionality in this plugin, you should configure > it to *only* use server-side timeout functionality, do *not* allow users to > set their own timeout value, and define an appropriate system-wide timeout > duration. > > HTH, > > Paul > > > > -----Original Message----- > > From: squ...@li... > > [mailto:squ...@li...] On Behalf Of Scott > > Henderson > > Sent: Monday, July 14, 2003 9:53 AM > > To: gr...@pr... > > Cc: squ...@li... > > Subject: RE: [SM-USERS] How to improve security for SM users > > > > I put in the code you wrote, and it works great. Thanks so much! It's > > always awesome to have someone just write the code you need, and voila' - > > now I have the functionality my company requires! This is another example > > of why Open Source software is so great. Its the people - you can't beat > > that kind of service! :) > > > > > gr...@pr...> > > > Forget the nocache option, just add the indicated lines to webmail.php > > > just after the session_start(); |
From: <gr...@pr...> - 2003-07-08 20:33:40
|
If my understanding is correct you will need to put the code at the top of each .php file. Can any php experts on the list confirm this or otherwise? > I don't code, but I'm willing to try this. What file would I put this > into- > login.php? src/webmail.php? > >>From: gr...@pr... [mailto:gr...@pr...] >> I'm not a php expert but isn't there a >> session_cache_limiter(); >> function that can be used to stop the browser caching? >> >> i.e. >> >> <?php >> /* set the cache limiter to 'nocache' */ >> session_cache_limiter('nocache'); >> session_start(); >> ..... >> ?> >> >>> I have just set up our SM server and my boss tried it and he points out > if >>> someone were using SM at a public terminal, and they didn't log out, >>> but >>> just headed to another web site, then the next person in line could >>> backpage >>> right into their account. He wants a solution to this (and he doesn't >>> want >>> to put the burden onto the users to be responsible for signing out). >>> Is >>> there a way to force an SM user's browser to not cache pages? Or is > there >>> a >>> way to know if a user leaves the SM session, so the cached credentials >>> could >>> be deleted? Other suggestions? > > > > |
From: Andre N. <an...@ne...> - 2003-07-08 21:04:21
|
The statement: session_cache_limiter('nocache'); would need to come before any calls to session_start(). So not necessarily every PHP file but every PHP file that made a call to session_start() instead. Although, I have no clue how sessions are maintained in SM PHP wise so a word from one of the SM developers would be nice :) Andre > If my understanding is correct you will need to put the code at the top of > each .php file. Can any php experts on the list confirm this or > otherwise? > >> I don't code, but I'm willing to try this. What file would I put this >> into- >> login.php? src/webmail.php? >> >>>From: gr...@pr... [mailto:gr...@pr...] >>> I'm not a php expert but isn't there a >>> session_cache_limiter(); >>> function that can be used to stop the browser caching? >>> >>> i.e. >>> >>> <?php >>> /* set the cache limiter to 'nocache' */ >>> session_cache_limiter('nocache'); >>> session_start(); >>> ..... >>> ?> >>> >>>> I have just set up our SM server and my boss tried it and he points out >> if >>>> someone were using SM at a public terminal, and they didn't log out, >>>> but >>>> just headed to another web site, then the next person in line could >>>> backpage >>>> right into their account. He wants a solution to this (and he doesn't >>>> want >>>> to put the burden onto the users to be responsible for signing out). >>>> Is >>>> there a way to force an SM user's browser to not cache pages? Or is >> there >>>> a >>>> way to know if a user leaves the SM session, so the cached credentials >>>> could >>>> be deleted? Other suggestions? >> >> >> >> |
From: Marc G. K. <ma...@sq...> - 2003-07-08 21:16:42
|
Andre Nicholson said: > The statement: > > session_cache_limiter('nocache'); > > would need to come before any calls to session_start(). So not necessar= ily > every PHP > file but every PHP file that made a call to session_start() instead. > > Although, I have no clue how sessions are maintained in SM PHP wise so = a > word from one > of the SM developers would be nice :) > > Andre look at functions/global.php sqsession_start. Marc Groot Koerkamp. PS: Is that nice enough :) |
From: Chris H. <ta...@sq...> - 2003-07-08 21:23:44
|
> would need to come before any calls to session_start(). So not necessar= ily > every PHP > file but every PHP file that made a call to session_start() instead. IIRC, we have a function to start the session, so it'd be a matter of editing one file in one spot. As to how useful this directive would be.. I'm not entirely sure. Jon Angliss is our resident Session Expert(tm). He loves sessions. C'mo= n Jon, it's your turn at bat. --=20 Chris Hilts ta...@sq... |
From: Scott H. <Sco...@bu...> - 2003-07-10 18:48:39
|
> Marc Groot Koerkamp> > Andre Nicholson said: >> The statement: >> >> session_cache_limiter('nocache'); >> >> would need to come before any calls to session_start(). So not >> necessarily >> every PHP >> file but every PHP file that made a call to session_start() instead. >> >> Although, I have no clue how sessions are maintained in SM PHP wise so a >> word from one >> of the SM developers would be nice :) >> >> Andre > > look at functions/global.php > > sqsession_start. > > Marc Groot Koerkamp. > > PS: Is that nice enough :) Very nice. But I have tried this and no luck yet. What I did was insert the code: /* set the cache limiter to 'nocache' */ session_cache_limiter('nocache'); into functions/global.php, near the top, right after the little section that has in it: "convert old-style superglobals to current method". But I can still "backpedal" with a browser, and the goal is to make the browser not cache anything (for security, like at a public terminal). Clue stick please? |
From: Nicholas M. <nic...@mi...> - 2003-07-10 20:06:10
|
>> Marc Groot Koerkamp> >> Andre Nicholson said: >>> The statement: >>> >>> session_cache_limiter('nocache'); >>> >>> would need to come before any calls to session_start(). So not >>> necessarily >>> every PHP >>> file but every PHP file that made a call to session_start() instead. >>> >>> Although, I have no clue how sessions are maintained in SM PHP wise so a >>> word from one >>> of the SM developers would be nice :) >>> >>> Andre >> >> look at functions/global.php >> >> sqsession_start. >> >> Marc Groot Koerkamp. >> >> PS: Is that nice enough :) > > > Very nice. But I have tried this and no luck yet. What I did was insert > the code: > > /* set the cache limiter to 'nocache' */ > session_cache_limiter('nocache'); > > into functions/global.php, near the top, right after the little section > that has in it: > > "convert old-style superglobals to current method". > > But I can still "backpedal" with a browser, and the goal is to make the > browser not cache anything (for security, like at a public terminal). > > Clue stick please? > might want to combine that with info on this page: http://www.htmlgoodies.com/beyond/nocache.html -N |
From: Scott H. <Sco...@bu...> - 2003-07-11 15:42:54
|
> Nicholas Mistry> >>>> The statement: >>>> >>>> session_cache_limiter('nocache'); >>>> >>>> would need to come before any calls to session_start(). So not >>>> necessarily every PHP file but every PHP file that made a call >>>> to session_start() instead. >>>> >>>> Although, I have no clue how sessions are maintained in SM PHP wise so >>>> a word from one of the SM developers would be nice :) >>>> >>>> Andre >>> >>> look at functions/global.php >>> >>> sqsession_start. >>> >>> Marc Groot Koerkamp. >>> >>> PS: Is that nice enough :) >> >> Very nice. But I have tried this and no luck yet. What I did was >> insert the code: >> >> /* set the cache limiter to 'nocache' */ >> session_cache_limiter('nocache'); >> >> into functions/global.php, near the top, right after the little section >> that has in it: >> >> "convert old-style superglobals to current method". >> >> But I can still "backpedal" with a browser, and the goal is to make the >> browser not cache anything (for security, like at a public terminal). >> >> Clue stick please? >> > > might want to combine that with info on this page: > > http://www.htmlgoodies.com/beyond/nocache.html I don't mean to be dense here, but I guess I am. I can't figure out how to combine these 2. The URL article refers to html, which I understand a bit of, but global.php is not html, its php (which I understand nothing of), and has no "<HEAD>" or other tags that the article refers to. Could I get just a bit more explanation? Scott |
From: <gr...@pr...> - 2003-07-12 02:06:15
|
Forget the nocache option, just add the indicated lines to webmail.php just after the session_start(); =========================================== session_start(); /* added by gcn 12/-7/2003 */ if(session_is_registered("visited")){ exit; } $visited ="yes"; session_register("visited"); /* end of addition*/ ============================================ If you leave without logging out and try to return with the browser backspace you'll just get a blank page. It works with SM 1.4.0 and provided PHP >= 4.1.0. NB - health warning! I've not tested this hack exhaustively. (be careful not to "refresh page") >> Nicholas Mistry> > >>>>> The statement: >>>>> >>>>> session_cache_limiter('nocache'); >>>>> >>>>> would need to come before any calls to session_start(). So not >>>>> necessarily every PHP file but every PHP file that made a call >>>>> to session_start() instead. >>>>> >>>>> Although, I have no clue how sessions are maintained in SM PHP wise >>>>> so >>>>> a word from one of the SM developers would be nice :) >>>>> >>>>> Andre >>>> >>>> look at functions/global.php >>>> >>>> sqsession_start. >>>> >>>> Marc Groot Koerkamp. >>>> >>>> PS: Is that nice enough :) >>> >>> Very nice. But I have tried this and no luck yet. What I did was >>> insert the code: >>> >>> /* set the cache limiter to 'nocache' */ >>> session_cache_limiter('nocache'); >>> >>> into functions/global.php, near the top, right after the little section >>> that has in it: >>> >>> "convert old-style superglobals to current method". >>> >>> But I can still "backpedal" with a browser, and the goal is to make the >>> browser not cache anything (for security, like at a public terminal). >>> >>> Clue stick please? >>> >> >> might want to combine that with info on this page: >> >> http://www.htmlgoodies.com/beyond/nocache.html > > I don't mean to be dense here, but I guess I am. I can't figure out how > to combine these 2. The URL article refers to html, which I understand a > bit of, but global.php is not html, its php (which I understand nothing > of), and has no "<HEAD>" or other tags that the article refers to. Could > I get just a bit more explanation? > > Scott > > > > > > ------------------------------------------------------- > This SF.Net email sponsored by: Parasoft > Error proof Web apps, automate testing & more. > Download & eval WebKing and get a free book. > www.parasoft.com/bulletproofapps1 > -- > squirrelmail-users mailing list > List Address: squ...@li... > List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 > List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users > > |
From: Scott H. <Sco...@bu...> - 2003-07-14 17:26:02
|
I put in the code you wrote, and it works great. Thanks so much! It's always awesome to have someone just write the code you need, and voila' = - now I have the functionality my company requires! This is another exampl= e of why Open Source software is so great. Its the people - you can't beat that kind of service! :) > gr...@pr...> > Forget the nocache option, just add the indicated lines to webmail.php > just after the session_start(); |
From: p d. t. <pdo...@an...> - 2003-08-28 00:55:20
Attachments:
timeout_user-1.2-0.5.tar.gz
|
All, Please find attached a new version of the timeout_user plugin. It now includes functionality that will solve this problem without the need to patch SquirrelMail. The user *is* allowed to browse back to SquirrelMail within the defined timeout duration, but after that, they will see the signout screen if they try to browse back to SM. If you don't need the other functionality in this plugin, you should configure it to *only* use server-side timeout functionality, do *not* allow users to set their own timeout value, and define an appropriate system-wide timeout duration. HTH, Paul > -----Original Message----- > From: squ...@li... > [mailto:squ...@li...] On Behalf Of Scott > Henderson > Sent: Monday, July 14, 2003 9:53 AM > To: gr...@pr... > Cc: squ...@li... > Subject: RE: [SM-USERS] How to improve security for SM users > > I put in the code you wrote, and it works great. Thanks so much! It's > always awesome to have someone just write the code you need, and voila' - > now I have the functionality my company requires! This is another example > of why Open Source software is so great. Its the people - you can't beat > that kind of service! :) > > > gr...@pr...> > > Forget the nocache option, just add the indicated lines to webmail.php > > just after the session_start(); > > > ------------------------------------------------------- > This SF.Net email sponsored by: Parasoft > Error proof Web apps, automate testing & more. > Download & eval WebKing and get a free book. > www.parasoft.com/bulletproofapps1 > -- > squirrelmail-users mailing list > List Address: squ...@li... > List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id)95 > List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users |