« Return to Thread: possible SQMSESSID, account merging bug
Re: possible SQMSESSID, account merging bug
by Paul Lesniewski
::
Rate this Message:
On Thu, Mar 5, 2009 at 10:48 AM, John Workman <johnw@...> wrote:
> Greetings,
>
> Not sure if I should enter a tracker bug for this, seeing as how it may
> have been addressed in the past.
>
> Customers have reported that some of their account details get 'merged'
> into another account that they typically use from the same workstation.
> Specifically, the name and email address prefs get copied from one
> account and actually saved into the preferences of another.
This is a known issue that is for now (as long as SM uses cookie-based
sessions). The use case that can reproduce it is to log in to one
account, then in another tab of the SAME browser window, log into
another account on the same server, NOT having logged out of the first
account. The only way to avoid the problem is to use separate
browsers for each account or make sure users log out of one account
before using the next.
If you think this is related to any session ID/cookie problems, please
show proof. We really appreciate all the details that follow, but the
problem as explained above is not really going to be fixed until we
accommodate non-cookie session management.
> I'm not able to reproduce this exact behavior, but seeing as how the
> SQMSESSID doesn't seem to change between login/logout, it's easy to see
> how this could happen under certain circumstances.
>
> It seems that new session IDs are not generated, and the attempts by
> squirrelmail to remove the SQMSESSID cookie by setting the date to Thu,
> 01-Jan-1970 00:00:01 GMT doesn't seem to remove all instances of the cookie.
>
> The problem seems very similar to this:
>
> http://www.linux-archive.org/centos/232460-squirrelmail-sending-under-wrong-username.html
>
>
> Squirrelmail Version = 1.4.17. Also problem appears in 1.4.18-svn (13411).
> plugins = none. just defaults.
> php version = 4.3.10 (problem also appears with 5.2)
> web server = apache 2.0.54
> imap server = dovecot 1.0
> smtp server = postfix 2.1.5
> browser = firefox 3.0.5
>
> Differences in install: Squirrelmail is in subdir instead of docroot.
>
> In the test cases detailed below, we have r13411 of stable branch in
> /webmail-test/, but the latest stable release (1.4.17) has the exact
> same behavior.
>
> src/configtest.php displays no warnings or errors.
>
>
> If I hit src/login.php without having any cookies sent, Squirrelmail
> sends 4 Set-Cookie headers:
>
> Set-Cookie: SQMSESSID=f7714943ee06d0c828b19b901f5bbaa9; secure
> Set-Cookie: SQMSESSID=f7714943ee06d0c828b19b901f5bbaa9; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
>
> According to Firefox Web developer plugin, this results in 2 cookies
> being set:
>
> Name SQMSESSID
> Value eb5b3ed9d88a9a43d95a4a97958190c0
> Host mail.voyageurweb.com
> Path /webmail-test/
> Secure Yes
> Expires At End Of Session
>
> Name SQMSESSID
> Value f7714943ee06d0c828b19b901f5bbaa9
> Host mail.voyageurweb.com
> Path /webmail-test/src/
> Secure Yes
> Expires At End Of Session
>
> Upon loggin in, (POST to /src/redirect.php), my browser sends the
> following cookies:
> Cookie: SQMSESSID=f7714943ee06d0c828b19b901f5bbaa9;
> SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0
>
> I get a 302 redirect response, with the following Set-Cookie headers:
>
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: squirrelmail_language=en_US; expires=Sat, 04-Apr-2009
> 17:41:10 GMT; path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: key=Q8EoIRw%3D; path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
>
> Subsequent page access while logged in all have multiple Set-Cookie headers.
>
> /src/compose.php sends theese:
>
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
>
> /src/addressbook.php sends these:
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly
>
> /src/signout.php sends these:
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; expires=Thu,
> 01-Jan-1970 00:00:01 GMT; path=/webmail-test/; secure; HttpOnly
> Set-Cookie: key=SQMTRASH; expires=Thu, 01-Jan-1970 00:00:01 GMT;
> path=/webmail-test/; secure; HttpOnly
>
> At this point, Firefox Web developer shows that I have two cookies:
> Name SQMSESSID
> Value eb5b3ed9d88a9a43d95a4a97958190c0
> Host mail.voyageurweb.com
> Path /webmail-test/src/
> Secure Yes
> Expires At End Of Session
>
> Name squirrelmail_language
> Value deleted
> Host mail.voyageurweb.com
> Path /webmail-test/
> Secure Yes
> Expires Sat, 04 Apr 2009 17:41:49 GMT
>
> If I go to login.php, my browser sends this:
> Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> squirrelmail_language=deleted
>
> And I get these headers in the response:
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; expires=Thu,
> 01-Jan-1970 00:00:01 GMT; path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
>
> Firefox web developer plugin shows I still have these cookies:
> Name SQMSESSID
> Value eb5b3ed9d88a9a43d95a4a97958190c0
> Host mail.voyageurweb.com
> Path /webmail-test/
> Secure Yes
> Expires At End Of Session
>
> Name SQMSESSID
> Value eb5b3ed9d88a9a43d95a4a97958190c0
> Host mail.voyageurweb.com
> Path /webmail-test/src/
> Secure Yes
> Expires At End Of Session
>
> Name squirrelmail_language
> Value deleted
> Host mail.voyageurweb.com
> Path /webmail-test/
> Secure Yes
> Expires Sat, 04 Apr 2009 17:41:49 GMT
>
------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel
> Greetings,
>
> Not sure if I should enter a tracker bug for this, seeing as how it may
> have been addressed in the past.
>
> Customers have reported that some of their account details get 'merged'
> into another account that they typically use from the same workstation.
> Specifically, the name and email address prefs get copied from one
> account and actually saved into the preferences of another.
This is a known issue that is for now (as long as SM uses cookie-based
sessions). The use case that can reproduce it is to log in to one
account, then in another tab of the SAME browser window, log into
another account on the same server, NOT having logged out of the first
account. The only way to avoid the problem is to use separate
browsers for each account or make sure users log out of one account
before using the next.
If you think this is related to any session ID/cookie problems, please
show proof. We really appreciate all the details that follow, but the
problem as explained above is not really going to be fixed until we
accommodate non-cookie session management.
> I'm not able to reproduce this exact behavior, but seeing as how the
> SQMSESSID doesn't seem to change between login/logout, it's easy to see
> how this could happen under certain circumstances.
>
> It seems that new session IDs are not generated, and the attempts by
> squirrelmail to remove the SQMSESSID cookie by setting the date to Thu,
> 01-Jan-1970 00:00:01 GMT doesn't seem to remove all instances of the cookie.
>
> The problem seems very similar to this:
>
> http://www.linux-archive.org/centos/232460-squirrelmail-sending-under-wrong-username.html
>
>
> Squirrelmail Version = 1.4.17. Also problem appears in 1.4.18-svn (13411).
> plugins = none. just defaults.
> php version = 4.3.10 (problem also appears with 5.2)
> web server = apache 2.0.54
> imap server = dovecot 1.0
> smtp server = postfix 2.1.5
> browser = firefox 3.0.5
>
> Differences in install: Squirrelmail is in subdir instead of docroot.
>
> In the test cases detailed below, we have r13411 of stable branch in
> /webmail-test/, but the latest stable release (1.4.17) has the exact
> same behavior.
>
> src/configtest.php displays no warnings or errors.
>
>
> If I hit src/login.php without having any cookies sent, Squirrelmail
> sends 4 Set-Cookie headers:
>
> Set-Cookie: SQMSESSID=f7714943ee06d0c828b19b901f5bbaa9; secure
> Set-Cookie: SQMSESSID=f7714943ee06d0c828b19b901f5bbaa9; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
>
> According to Firefox Web developer plugin, this results in 2 cookies
> being set:
>
> Name SQMSESSID
> Value eb5b3ed9d88a9a43d95a4a97958190c0
> Host mail.voyageurweb.com
> Path /webmail-test/
> Secure Yes
> Expires At End Of Session
>
> Name SQMSESSID
> Value f7714943ee06d0c828b19b901f5bbaa9
> Host mail.voyageurweb.com
> Path /webmail-test/src/
> Secure Yes
> Expires At End Of Session
>
> Upon loggin in, (POST to /src/redirect.php), my browser sends the
> following cookies:
> Cookie: SQMSESSID=f7714943ee06d0c828b19b901f5bbaa9;
> SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0
>
> I get a 302 redirect response, with the following Set-Cookie headers:
>
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: squirrelmail_language=en_US; expires=Sat, 04-Apr-2009
> 17:41:10 GMT; path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: key=Q8EoIRw%3D; path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
>
> Subsequent page access while logged in all have multiple Set-Cookie headers.
>
> /src/compose.php sends theese:
>
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
>
> /src/addressbook.php sends these:
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly
>
> /src/signout.php sends these:
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; expires=Thu,
> 01-Jan-1970 00:00:01 GMT; path=/webmail-test/; secure; HttpOnly
> Set-Cookie: key=SQMTRASH; expires=Thu, 01-Jan-1970 00:00:01 GMT;
> path=/webmail-test/; secure; HttpOnly
>
> At this point, Firefox Web developer shows that I have two cookies:
> Name SQMSESSID
> Value eb5b3ed9d88a9a43d95a4a97958190c0
> Host mail.voyageurweb.com
> Path /webmail-test/src/
> Secure Yes
> Expires At End Of Session
>
> Name squirrelmail_language
> Value deleted
> Host mail.voyageurweb.com
> Path /webmail-test/
> Secure Yes
> Expires Sat, 04 Apr 2009 17:41:49 GMT
>
> If I go to login.php, my browser sends this:
> Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> squirrelmail_language=deleted
>
> And I get these headers in the response:
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; expires=Thu,
> 01-Jan-1970 00:00:01 GMT; path=/webmail-test/; secure; HttpOnly
> Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
> path=/webmail-test/; secure; HttpOnly
>
> Firefox web developer plugin shows I still have these cookies:
> Name SQMSESSID
> Value eb5b3ed9d88a9a43d95a4a97958190c0
> Host mail.voyageurweb.com
> Path /webmail-test/
> Secure Yes
> Expires At End Of Session
>
> Name SQMSESSID
> Value eb5b3ed9d88a9a43d95a4a97958190c0
> Host mail.voyageurweb.com
> Path /webmail-test/src/
> Secure Yes
> Expires At End Of Session
>
> Name squirrelmail_language
> Value deleted
> Host mail.voyageurweb.com
> Path /webmail-test/
> Secure Yes
> Expires Sat, 04 Apr 2009 17:41:49 GMT
>
------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel
« Return to Thread: possible SQMSESSID, account merging bug
| Free embeddable forum powered by Nabble | Forum Help |
