« Return to Thread: Retrieveuserdata plugin
Re: Retrieveuserdata plugin
by Paul Lesniewski
::
Rate this Message:
On Tue, May 19, 2009 at 3:12 PM, Brett Johnson <brett@...> wrote:
> Hugo Monteiro wrote:
>> Paul Lesniewski wrote:
>>> On Tue, May 19, 2009 at 4:41 AM, Hugo Monteiro <hugo.monteiro@...> wrote:
>>>
>>>> Hello list,
>>>>
>>>> I'm currently using the retrieve user data plugin, version 0.9, to
>>>> automatically get the users information from LDAP. From time to time i'm
>>>> getting complaints from users that say that suddenly they have found
>>>> their webmail account information changed to match another users
>>>> information, like the full name and email address. I haven't been able
>>>> to find a pattern until today.
>>>>
>>>> Today i got another of those complaints, but the user referred that the
>>>> information that he got in his webmail account was from a friend that
>>>> shared the same workstation as him.
>>>>
>>> This is a known issue in SquirrelMail. The first user needs to log
>>> out before the second user logs in.
>>>
>>>
>>>> I was wondering if anyone using this plugin has experienced this type of
>>>> behaviour. I also noticed that this plugin isn't maintained anymore, and
>>>> i was wondering if there was any alternative to provide this feature.
>>>>
>>> It's nothing to do with the plugin; it's a limitation of using
>>> SquirrelMail in the same browser with more than one account.
>>>
>>>
>>
>> Hello Paul,
>>
>> Thank you for the prompt reply. I was wondering if there was anything
>> one could do to prevent this from happening, apart from educating the users.
>>
>> TIA,
>>
>> Hugo Monteiro.
>>
> In my opinion this is not an issue specific to Squirrel Mail but to web
> based applications as a whole. This is the similar behavior that you
> see with sites like amazon.com. If user1 signs in to amazon.com and then
> navigates away from the site, amazon.com will remember the user
> information. If user2 then comes along and uses the same browser to
> access amazon.com, the site will still think user1 is accessing the site
> and display user1 information. What amazon.com does for this is provide
> a link under the user name with something like "Not user1? click here".
> (amazon.com does require re-authentication after some timeout period if
> a user tries to access account specific functions for the 'cached'
> account to protect against unauthorized access)
>
> The basic issue is the user info is stored on a session basis, and a
> single web browser instance can only have a single session with the web
> based application. When user2 comes along and signs in to the
> application, they in effect hijack the session. When user one goes back
> to access the application, they are now accessing it as user2.
>
> There is no way for the web application to let 2 users share a single
> session. The application has no way of know which user is making a
> specific request since the requests are all associated with a single
> session.
>
> Unfortunately there is no easy solution for session hijacking other than
> training the users.
If the browser side of the session is handled without cookies (the ID
gets added to all page addresses), then multiple sessions is possible.
--
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php
------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables
unlimited royalty-free distribution of the report engine
for externally facing server and web deployment.
http://p.sf.net/sfu/businessobjects
-----
squirrelmail-plugins mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-plugins@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.plugins
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-plugins
> Hugo Monteiro wrote:
>> Paul Lesniewski wrote:
>>> On Tue, May 19, 2009 at 4:41 AM, Hugo Monteiro <hugo.monteiro@...> wrote:
>>>
>>>> Hello list,
>>>>
>>>> I'm currently using the retrieve user data plugin, version 0.9, to
>>>> automatically get the users information from LDAP. From time to time i'm
>>>> getting complaints from users that say that suddenly they have found
>>>> their webmail account information changed to match another users
>>>> information, like the full name and email address. I haven't been able
>>>> to find a pattern until today.
>>>>
>>>> Today i got another of those complaints, but the user referred that the
>>>> information that he got in his webmail account was from a friend that
>>>> shared the same workstation as him.
>>>>
>>> This is a known issue in SquirrelMail. The first user needs to log
>>> out before the second user logs in.
>>>
>>>
>>>> I was wondering if anyone using this plugin has experienced this type of
>>>> behaviour. I also noticed that this plugin isn't maintained anymore, and
>>>> i was wondering if there was any alternative to provide this feature.
>>>>
>>> It's nothing to do with the plugin; it's a limitation of using
>>> SquirrelMail in the same browser with more than one account.
>>>
>>>
>>
>> Hello Paul,
>>
>> Thank you for the prompt reply. I was wondering if there was anything
>> one could do to prevent this from happening, apart from educating the users.
>>
>> TIA,
>>
>> Hugo Monteiro.
>>
> In my opinion this is not an issue specific to Squirrel Mail but to web
> based applications as a whole. This is the similar behavior that you
> see with sites like amazon.com. If user1 signs in to amazon.com and then
> navigates away from the site, amazon.com will remember the user
> information. If user2 then comes along and uses the same browser to
> access amazon.com, the site will still think user1 is accessing the site
> and display user1 information. What amazon.com does for this is provide
> a link under the user name with something like "Not user1? click here".
> (amazon.com does require re-authentication after some timeout period if
> a user tries to access account specific functions for the 'cached'
> account to protect against unauthorized access)
>
> The basic issue is the user info is stored on a session basis, and a
> single web browser instance can only have a single session with the web
> based application. When user2 comes along and signs in to the
> application, they in effect hijack the session. When user one goes back
> to access the application, they are now accessing it as user2.
>
> There is no way for the web application to let 2 users share a single
> session. The application has no way of know which user is making a
> specific request since the requests are all associated with a single
> session.
>
> Unfortunately there is no easy solution for session hijacking other than
> training the users.
If the browser side of the session is handled without cookies (the ID
gets added to all page addresses), then multiple sessions is possible.
--
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php
------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables
unlimited royalty-free distribution of the report engine
for externally facing server and web deployment.
http://p.sf.net/sfu/businessobjects
-----
squirrelmail-plugins mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-plugins@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.plugins
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-plugins
« Return to Thread: Retrieveuserdata plugin
| Free embeddable forum powered by Nabble | Forum Help |
