Re: Retrieveuserdata plugin

>>>>>>> I'm currently using the retrieve user data plugin, version 0.9, to
>>>>>>> automatically get the users information from LDAP. From time to time i'm
>>>>>>> getting complaints from users that say that suddenly they have found
>>>>>>> their webmail account information changed to match another users
>>>>>>> information, like the full name and email address. I haven't been able
>>>>>>> to find a pattern until today.
>>>>>>>
>>>>>>> Today i got another of those complaints, but the user referred that the
>>>>>>> information that he got in his webmail account was from a friend that
>>>>>>> shared the same workstation as him.
>>>>>>>
>>>>>>>              
>>>>>> This is a known issue in SquirrelMail.  The first user needs to log
>>>>>> out before the second user logs in.
>>>>>>
>>>>>>
>>>>>>            
>>>>>>> I was wondering if anyone using this plugin has experienced this type of
>>>>>>> behaviour. I also noticed that this plugin isn't maintained anymore, and
>>>>>>> i was wondering if there was any alternative to provide this feature.
>>>>>>>
>>>>>>>              
>>>>>> It's nothing to do with the plugin; it's a limitation of using
>>>>>> SquirrelMail in the same browser with more than one account.
>>>>>>
>>>>>>
>>>>>>            
>>>>> Hello Paul,
>>>>>
>>>>> Thank you for the prompt reply. I was wondering if there was anything
>>>>> one could do to prevent this from happening, apart from educating the users.
>>>>>
>>>>> TIA,
>>>>>
>>>>> Hugo Monteiro.
>>>>>
>>>>>          
>>>> In my opinion this is not an issue specific to Squirrel Mail but to web
>>>> based applications as a whole. This is the similar behavior that you
>>>> see with sites like amazon.com. If user1 signs in to amazon.com and then
>>>> navigates away from the site, amazon.com will remember the user
>>>> information. If user2 then comes along and uses the same browser to
>>>> access amazon.com, the site will still think user1 is accessing the site
>>>> and display user1 information. What amazon.com does for this is provide
>>>> a link under the user name with something like "Not user1? click here".
>>>> (amazon.com does require re-authentication after some timeout period if
>>>> a user tries to access account specific functions for the 'cached'
>>>> account to protect against unauthorized access)
>>>>
>>>> The basic issue is the user info is stored on a session basis, and a
>>>> single web browser instance can only have a single session with the web
>>>> based application. When user2 comes along and signs in to the
>>>> application, they in effect hijack the session. When user one goes back
>>>> to access the application, they are now accessing it as user2.
>>>>
>>>> There is no way for the web application to let 2 users share a single
>>>> session. The application has no way of know which user is making a
>>>> specific request since the requests are all associated with a single
>>>> session.
>>>>
>>>> Unfortunately there is no easy solution for session hijacking other than
>>>> training the users.
>>>>        
>>> If the browser side of the session is handled without cookies (the ID
>>> gets added to all page addresses), then multiple sessions is possible.
>>>      
>> So would disabling client side cookies solve this problem?
>>    
>
> No, SquirrelMail doesn't support non-cookie operation currently.  Sorry.
>
>