Re: Retrieveuserdata plugin

>>>>>> I'm currently using the retrieve user data plugin, version 0.9, to
>>>>>> automatically get the users information from LDAP. From time to time i'm
>>>>>> getting complaints from users that say that suddenly they have found
>>>>>> their webmail account information changed to match another users
>>>>>> information, like the full name and email address. I haven't been able
>>>>>> to find a pattern until today.
>>>>>>
>>>>>> Today i got another of those complaints, but the user referred that the
>>>>>> information that he got in his webmail account was from a friend that
>>>>>> shared the same workstation as him.
>>>>>>
>>>>> This is a known issue in SquirrelMail.  The first user needs to log
>>>>> out before the second user logs in.
>>>>>
>>>>>
>>>>>> I was wondering if anyone using this plugin has experienced this type of
>>>>>> behaviour. I also noticed that this plugin isn't maintained anymore, and
>>>>>> i was wondering if there was any alternative to provide this feature.
>>>>>>
>>>>> It's nothing to do with the plugin; it's a limitation of using
>>>>> SquirrelMail in the same browser with more than one account.
>>>>>
>>>>>
>>>> Hello Paul,
>>>>
>>>> Thank you for the prompt reply. I was wondering if there was anything
>>>> one could do to prevent this from happening, apart from educating the users.
>>>>
>>>> TIA,
>>>>
>>>> Hugo Monteiro.
>>>>
>>> In my opinion this is not an issue specific to Squirrel Mail but to web
>>> based applications as a whole. This is the similar behavior that you
>>> see with sites like amazon.com. If user1 signs in to amazon.com and then
>>> navigates away from the site, amazon.com will remember the user
>>> information. If user2 then comes along and uses the same browser to
>>> access amazon.com, the site will still think user1 is accessing the site
>>> and display user1 information. What amazon.com does for this is provide
>>> a link under the user name with something like "Not user1? click here".
>>> (amazon.com does require re-authentication after some timeout period if
>>> a user tries to access account specific functions for the 'cached'
>>> account to protect against unauthorized access)
>>>
>>> The basic issue is the user info is stored on a session basis, and a
>>> single web browser instance can only have a single session with the web
>>> based application. When user2 comes along and signs in to the
>>> application, they in effect hijack the session. When user one goes back
>>> to access the application, they are now accessing it as user2.
>>>
>>> There is no way for the web application to let 2 users share a single
>>> session. The application has no way of know which user is making a
>>> specific request since the requests are all associated with a single
>>> session.
>>>
>>> Unfortunately there is no easy solution for session hijacking other than
>>> training the users.
>>
>> If the browser side of the session is handled without cookies (the ID
>> gets added to all page addresses), then multiple sessions is possible.
>
> So would disabling client side cookies solve this problem?