Re: Retrieveuserdata plugin

> On Tue, May 19, 2009 at 3:12 PM, Brett Johnson <brett@...> wrote:
>> Hugo Monteiro wrote:
>>> Paul Lesniewski wrote:
>>>> On Tue, May 19, 2009 at 4:41 AM, Hugo Monteiro <hugo.monteiro@...> wrote:
>>>>
>>>>> Hello list,
>>>>>
>>>>> I'm currently using the retrieve user data plugin, version 0.9, to
>>>>> automatically get the users information from LDAP. From time to time i'm
>>>>> getting complaints from users that say that suddenly they have found
>>>>> their webmail account information changed to match another users
>>>>> information, like the full name and email address. I haven't been able
>>>>> to find a pattern until today.
>>>>>
>>>>> Today i got another of those complaints, but the user referred that the
>>>>> information that he got in his webmail account was from a friend that
>>>>> shared the same workstation as him.
>>>>>
>>>> This is a known issue in SquirrelMail.  The first user needs to log
>>>> out before the second user logs in.
>>>>
>>>>
>>>>> I was wondering if anyone using this plugin has experienced this type of
>>>>> behaviour. I also noticed that this plugin isn't maintained anymore, and
>>>>> i was wondering if there was any alternative to provide this feature.
>>>>>
>>>> It's nothing to do with the plugin; it's a limitation of using
>>>> SquirrelMail in the same browser with more than one account.
>>>>
>>>>
>>> Hello Paul,
>>>
>>> Thank you for the prompt reply. I was wondering if there was anything
>>> one could do to prevent this from happening, apart from educating the users.
>>>
>>> TIA,
>>>
>>> Hugo Monteiro.
>>>
>> In my opinion this is not an issue specific to Squirrel Mail but to web
>> based applications as a whole. This is the similar behavior that you
>> see with sites like amazon.com. If user1 signs in to amazon.com and then
>> navigates away from the site, amazon.com will remember the user
>> information. If user2 then comes along and uses the same browser to
>> access amazon.com, the site will still think user1 is accessing the site
>> and display user1 information. What amazon.com does for this is provide
>> a link under the user name with something like "Not user1? click here".
>> (amazon.com does require re-authentication after some timeout period if
>> a user tries to access account specific functions for the 'cached'
>> account to protect against unauthorized access)
>>
>> The basic issue is the user info is stored on a session basis, and a
>> single web browser instance can only have a single session with the web
>> based application. When user2 comes along and signs in to the
>> application, they in effect hijack the session. When user one goes back
>> to access the application, they are now accessing it as user2.
>>
>> There is no way for the web application to let 2 users share a single
>> session. The application has no way of know which user is making a
>> specific request since the requests are all associated with a single
>> session.
>>
>> Unfortunately there is no easy solution for session hijacking other than
>> training the users.
>
> If the browser side of the session is handled without cookies (the ID
> gets added to all page addresses), then multiple sessions is possible.
>