Re: Retrieveuserdata plugin

> Paul Lesniewski wrote:
>>>>>>>> I'm currently using the retrieve user data plugin, version 0.9, to
>>>>>>>> automatically get the users information from LDAP. From time to time i'm
>>>>>>>> getting complaints from users that say that suddenly they have found
>>>>>>>> their webmail account information changed to match another users
>>>>>>>> information, like the full name and email address. I haven't been able
>>>>>>>> to find a pattern until today.
>>>>>>>>
>>>>>>>> Today i got another of those complaints, but the user referred that the
>>>>>>>> information that he got in his webmail account was from a friend that
>>>>>>>> shared the same workstation as him.
>>>>>>>>
>>>>>>>>
>>>>>>> This is a known issue in SquirrelMail.  The first user needs to log
>>>>>>> out before the second user logs in.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> I was wondering if anyone using this plugin has experienced this type of
>>>>>>>> behaviour. I also noticed that this plugin isn't maintained anymore, and
>>>>>>>> i was wondering if there was any alternative to provide this feature.
>>>>>>>>
>>>>>>>>
>>>>>>> It's nothing to do with the plugin; it's a limitation of using
>>>>>>> SquirrelMail in the same browser with more than one account.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> Hello Paul,
>>>>>>
>>>>>> Thank you for the prompt reply. I was wondering if there was anything
>>>>>> one could do to prevent this from happening, apart from educating the users.
>>>>>>
>>>>>> TIA,
>>>>>>
>>>>>> Hugo Monteiro.
>>>>>>
>>>>>>
>>>>> In my opinion this is not an issue specific to Squirrel Mail but to web
>>>>> based applications as a whole. This is the similar behavior that you
>>>>> see with sites like amazon.com. If user1 signs in to amazon.com and then
>>>>> navigates away from the site, amazon.com will remember the user
>>>>> information. If user2 then comes along and uses the same browser to
>>>>> access amazon.com, the site will still think user1 is accessing the site
>>>>> and display user1 information. What amazon.com does for this is provide
>>>>> a link under the user name with something like "Not user1? click here".
>>>>> (amazon.com does require re-authentication after some timeout period if
>>>>> a user tries to access account specific functions for the 'cached'
>>>>> account to protect against unauthorized access)
>>>>>
>>>>> The basic issue is the user info is stored on a session basis, and a
>>>>> single web browser instance can only have a single session with the web
>>>>> based application. When user2 comes along and signs in to the
>>>>> application, they in effect hijack the session. When user one goes back
>>>>> to access the application, they are now accessing it as user2.
>>>>>
>>>>> There is no way for the web application to let 2 users share a single
>>>>> session. The application has no way of know which user is making a
>>>>> specific request since the requests are all associated with a single
>>>>> session.
>>>>>
>>>>> Unfortunately there is no easy solution for session hijacking other than
>>>>> training the users.
>>>>>
>>>> If the browser side of the session is handled without cookies (the ID
>>>> gets added to all page addresses), then multiple sessions is possible.
>>>>
>>> So would disabling client side cookies solve this problem?
>>>
>>
>> No, SquirrelMail doesn't support non-cookie operation currently.  Sorry.
>>
>>
>
> Is there any plugin, or hack, to add that amazon like "not UserX? Click
> here." so the user can be sure it's not using someone elses session?