Retrieveuserdata plugin

> Hello list,
>
> I'm currently using the retrieve user data plugin, version 0.9, to
> automatically get the users information from LDAP. From time to time i'm
> getting complaints from users that say that suddenly they have found
> their webmail account information changed to match another users
> information, like the full name and email address. I haven't been able
> to find a pattern until today.
>
> Today i got another of those complaints, but the user referred that the
> information that he got in his webmail account was from a friend that
> shared the same workstation as him.

> On Tue, May 19, 2009 at 4:41 AM, Hugo Monteiro <hugo.monteiro@...> wrote:
>  
>> Hello list,
>>
>> I'm currently using the retrieve user data plugin, version 0.9, to
>> automatically get the users information from LDAP. From time to time i'm
>> getting complaints from users that say that suddenly they have found
>> their webmail account information changed to match another users
>> information, like the full name and email address. I haven't been able
>> to find a pattern until today.
>>
>> Today i got another of those complaints, but the user referred that the
>> information that he got in his webmail account was from a friend that
>> shared the same workstation as him.
>>    
>
> This is a known issue in SquirrelMail.  The first user needs to log
> out before the second user logs in.
>
>  
>> I was wondering if anyone using this plugin has experienced this type of
>> behaviour. I also noticed that this plugin isn't maintained anymore, and
>> i was wondering if there was any alternative to provide this feature.
>>    
>
> It's nothing to do with the plugin; it's a limitation of using
> SquirrelMail in the same browser with more than one account.
>
>  

> Paul Lesniewski wrote:
>> On Tue, May 19, 2009 at 4:41 AM, Hugo Monteiro <hugo.monteiro@...> wrote:
>>  
>>> Hello list,
>>>
>>> I'm currently using the retrieve user data plugin, version 0.9, to
>>> automatically get the users information from LDAP. From time to time i'm
>>> getting complaints from users that say that suddenly they have found
>>> their webmail account information changed to match another users
>>> information, like the full name and email address. I haven't been able
>>> to find a pattern until today.
>>>
>>> Today i got another of those complaints, but the user referred that the
>>> information that he got in his webmail account was from a friend that
>>> shared the same workstation as him.
>>>    
>> This is a known issue in SquirrelMail.  The first user needs to log
>> out before the second user logs in.
>>
>>  
>>> I was wondering if anyone using this plugin has experienced this type of
>>> behaviour. I also noticed that this plugin isn't maintained anymore, and
>>> i was wondering if there was any alternative to provide this feature.
>>>    
>> It's nothing to do with the plugin; it's a limitation of using
>> SquirrelMail in the same browser with more than one account.
>>
>>  
>
> Hello Paul,
>
> Thank you for the prompt reply. I was wondering if there was anything
> one could do to prevent this from happening, apart from educating the users.
>
> TIA,
>
> Hugo Monteiro.
>

> Paul Lesniewski wrote:
>> On Tue, May 19, 2009 at 4:41 AM, Hugo Monteiro <hugo.monteiro@...> wrote:
>>
>>> Hello list,
>>>
>>> I'm currently using the retrieve user data plugin, version 0.9, to
>>> automatically get the users information from LDAP. From time to time i'm
>>> getting complaints from users that say that suddenly they have found
>>> their webmail account information changed to match another users
>>> information, like the full name and email address. I haven't been able
>>> to find a pattern until today.
>>>
>>> Today i got another of those complaints, but the user referred that the
>>> information that he got in his webmail account was from a friend that
>>> shared the same workstation as him.
>>>
>>
>> This is a known issue in SquirrelMail.  The first user needs to log
>> out before the second user logs in.
>>
>>
>>> I was wondering if anyone using this plugin has experienced this type of
>>> behaviour. I also noticed that this plugin isn't maintained anymore, and
>>> i was wondering if there was any alternative to provide this feature.
>>>
>>
>> It's nothing to do with the plugin; it's a limitation of using
>> SquirrelMail in the same browser with more than one account.
>>
>>
>
> Hello Paul,
>
> Thank you for the prompt reply. I was wondering if there was anything
> one could do to prevent this from happening, apart from educating the users.

> Hugo Monteiro wrote:
>> Paul Lesniewski wrote:
>>> On Tue, May 19, 2009 at 4:41 AM, Hugo Monteiro <hugo.monteiro@...> wrote:
>>>
>>>> Hello list,
>>>>
>>>> I'm currently using the retrieve user data plugin, version 0.9, to
>>>> automatically get the users information from LDAP. From time to time i'm
>>>> getting complaints from users that say that suddenly they have found
>>>> their webmail account information changed to match another users
>>>> information, like the full name and email address. I haven't been able
>>>> to find a pattern until today.
>>>>
>>>> Today i got another of those complaints, but the user referred that the
>>>> information that he got in his webmail account was from a friend that
>>>> shared the same workstation as him.
>>>>
>>> This is a known issue in SquirrelMail.  The first user needs to log
>>> out before the second user logs in.
>>>
>>>
>>>> I was wondering if anyone using this plugin has experienced this type of
>>>> behaviour. I also noticed that this plugin isn't maintained anymore, and
>>>> i was wondering if there was any alternative to provide this feature.
>>>>
>>> It's nothing to do with the plugin; it's a limitation of using
>>> SquirrelMail in the same browser with more than one account.
>>>
>>>
>>
>> Hello Paul,
>>
>> Thank you for the prompt reply. I was wondering if there was anything
>> one could do to prevent this from happening, apart from educating the users.
>>
>> TIA,
>>
>> Hugo Monteiro.
>>
> In my opinion this is not an issue specific to Squirrel Mail but to web
> based applications as a whole. This is the similar behavior that you
> see with sites like amazon.com. If user1 signs in to amazon.com and then
> navigates away from the site, amazon.com will remember the user
> information. If user2 then comes along and uses the same browser to
> access amazon.com, the site will still think user1 is accessing the site
> and display user1 information. What amazon.com does for this is provide
> a link under the user name with something like "Not user1? click here".
> (amazon.com does require re-authentication after some timeout period if
> a user tries to access account specific functions for the 'cached'
> account to protect against unauthorized access)
>
> The basic issue is the user info is stored on a session basis, and a
> single web browser instance can only have a single session with the web
> based application. When user2 comes along and signs in to the
> application, they in effect hijack the session. When user one goes back
> to access the application, they are now accessing it as user2.
>
> There is no way for the web application to let 2 users share a single
> session. The application has no way of know which user is making a
> specific request since the requests are all associated with a single
> session.
>
> Unfortunately there is no easy solution for session hijacking other than
> training the users.

> On Tue, May 19, 2009 at 3:12 PM, Brett Johnson <brett@...> wrote:
>> Hugo Monteiro wrote:
>>> Paul Lesniewski wrote:
>>>> On Tue, May 19, 2009 at 4:41 AM, Hugo Monteiro <hugo.monteiro@...> wrote:
>>>>
>>>>> Hello list,
>>>>>
>>>>> I'm currently using the retrieve user data plugin, version 0.9, to
>>>>> automatically get the users information from LDAP. From time to time i'm
>>>>> getting complaints from users that say that suddenly they have found
>>>>> their webmail account information changed to match another users
>>>>> information, like the full name and email address. I haven't been able
>>>>> to find a pattern until today.
>>>>>
>>>>> Today i got another of those complaints, but the user referred that the
>>>>> information that he got in his webmail account was from a friend that
>>>>> shared the same workstation as him.
>>>>>
>>>> This is a known issue in SquirrelMail.  The first user needs to log
>>>> out before the second user logs in.
>>>>
>>>>
>>>>> I was wondering if anyone using this plugin has experienced this type of
>>>>> behaviour. I also noticed that this plugin isn't maintained anymore, and
>>>>> i was wondering if there was any alternative to provide this feature.
>>>>>
>>>> It's nothing to do with the plugin; it's a limitation of using
>>>> SquirrelMail in the same browser with more than one account.
>>>>
>>>>
>>> Hello Paul,
>>>
>>> Thank you for the prompt reply. I was wondering if there was anything
>>> one could do to prevent this from happening, apart from educating the users.
>>>
>>> TIA,
>>>
>>> Hugo Monteiro.
>>>
>> In my opinion this is not an issue specific to Squirrel Mail but to web
>> based applications as a whole. This is the similar behavior that you
>> see with sites like amazon.com. If user1 signs in to amazon.com and then
>> navigates away from the site, amazon.com will remember the user
>> information. If user2 then comes along and uses the same browser to
>> access amazon.com, the site will still think user1 is accessing the site
>> and display user1 information. What amazon.com does for this is provide
>> a link under the user name with something like "Not user1? click here".
>> (amazon.com does require re-authentication after some timeout period if
>> a user tries to access account specific functions for the 'cached'
>> account to protect against unauthorized access)
>>
>> The basic issue is the user info is stored on a session basis, and a
>> single web browser instance can only have a single session with the web
>> based application. When user2 comes along and signs in to the
>> application, they in effect hijack the session. When user one goes back
>> to access the application, they are now accessing it as user2.
>>
>> There is no way for the web application to let 2 users share a single
>> session. The application has no way of know which user is making a
>> specific request since the requests are all associated with a single
>> session.
>>
>> Unfortunately there is no easy solution for session hijacking other than
>> training the users.
>
> If the browser side of the session is handled without cookies (the ID
> gets added to all page addresses), then multiple sessions is possible.
>

>>>>>> I'm currently using the retrieve user data plugin, version 0.9, to
>>>>>> automatically get the users information from LDAP. From time to time i'm
>>>>>> getting complaints from users that say that suddenly they have found
>>>>>> their webmail account information changed to match another users
>>>>>> information, like the full name and email address. I haven't been able
>>>>>> to find a pattern until today.
>>>>>>
>>>>>> Today i got another of those complaints, but the user referred that the
>>>>>> information that he got in his webmail account was from a friend that
>>>>>> shared the same workstation as him.
>>>>>>
>>>>> This is a known issue in SquirrelMail.  The first user needs to log
>>>>> out before the second user logs in.
>>>>>
>>>>>
>>>>>> I was wondering if anyone using this plugin has experienced this type of
>>>>>> behaviour. I also noticed that this plugin isn't maintained anymore, and
>>>>>> i was wondering if there was any alternative to provide this feature.
>>>>>>
>>>>> It's nothing to do with the plugin; it's a limitation of using
>>>>> SquirrelMail in the same browser with more than one account.
>>>>>
>>>>>
>>>> Hello Paul,
>>>>
>>>> Thank you for the prompt reply. I was wondering if there was anything
>>>> one could do to prevent this from happening, apart from educating the users.
>>>>
>>>> TIA,
>>>>
>>>> Hugo Monteiro.
>>>>
>>> In my opinion this is not an issue specific to Squirrel Mail but to web
>>> based applications as a whole. This is the similar behavior that you
>>> see with sites like amazon.com. If user1 signs in to amazon.com and then
>>> navigates away from the site, amazon.com will remember the user
>>> information. If user2 then comes along and uses the same browser to
>>> access amazon.com, the site will still think user1 is accessing the site
>>> and display user1 information. What amazon.com does for this is provide
>>> a link under the user name with something like "Not user1? click here".
>>> (amazon.com does require re-authentication after some timeout period if
>>> a user tries to access account specific functions for the 'cached'
>>> account to protect against unauthorized access)
>>>
>>> The basic issue is the user info is stored on a session basis, and a
>>> single web browser instance can only have a single session with the web
>>> based application. When user2 comes along and signs in to the
>>> application, they in effect hijack the session. When user one goes back
>>> to access the application, they are now accessing it as user2.
>>>
>>> There is no way for the web application to let 2 users share a single
>>> session. The application has no way of know which user is making a
>>> specific request since the requests are all associated with a single
>>> session.
>>>
>>> Unfortunately there is no easy solution for session hijacking other than
>>> training the users.
>>
>> If the browser side of the session is handled without cookies (the ID
>> gets added to all page addresses), then multiple sessions is possible.
>
> So would disabling client side cookies solve this problem?

>>>>>>> I'm currently using the retrieve user data plugin, version 0.9, to
>>>>>>> automatically get the users information from LDAP. From time to time i'm
>>>>>>> getting complaints from users that say that suddenly they have found
>>>>>>> their webmail account information changed to match another users
>>>>>>> information, like the full name and email address. I haven't been able
>>>>>>> to find a pattern until today.
>>>>>>>
>>>>>>> Today i got another of those complaints, but the user referred that the
>>>>>>> information that he got in his webmail account was from a friend that
>>>>>>> shared the same workstation as him.
>>>>>>>
>>>>>>>              
>>>>>> This is a known issue in SquirrelMail.  The first user needs to log
>>>>>> out before the second user logs in.
>>>>>>
>>>>>>
>>>>>>            
>>>>>>> I was wondering if anyone using this plugin has experienced this type of
>>>>>>> behaviour. I also noticed that this plugin isn't maintained anymore, and
>>>>>>> i was wondering if there was any alternative to provide this feature.
>>>>>>>
>>>>>>>              
>>>>>> It's nothing to do with the plugin; it's a limitation of using
>>>>>> SquirrelMail in the same browser with more than one account.
>>>>>>
>>>>>>
>>>>>>            
>>>>> Hello Paul,
>>>>>
>>>>> Thank you for the prompt reply. I was wondering if there was anything
>>>>> one could do to prevent this from happening, apart from educating the users.
>>>>>
>>>>> TIA,
>>>>>
>>>>> Hugo Monteiro.
>>>>>
>>>>>          
>>>> In my opinion this is not an issue specific to Squirrel Mail but to web
>>>> based applications as a whole. This is the similar behavior that you
>>>> see with sites like amazon.com. If user1 signs in to amazon.com and then
>>>> navigates away from the site, amazon.com will remember the user
>>>> information. If user2 then comes along and uses the same browser to
>>>> access amazon.com, the site will still think user1 is accessing the site
>>>> and display user1 information. What amazon.com does for this is provide
>>>> a link under the user name with something like "Not user1? click here".
>>>> (amazon.com does require re-authentication after some timeout period if
>>>> a user tries to access account specific functions for the 'cached'
>>>> account to protect against unauthorized access)
>>>>
>>>> The basic issue is the user info is stored on a session basis, and a
>>>> single web browser instance can only have a single session with the web
>>>> based application. When user2 comes along and signs in to the
>>>> application, they in effect hijack the session. When user one goes back
>>>> to access the application, they are now accessing it as user2.
>>>>
>>>> There is no way for the web application to let 2 users share a single
>>>> session. The application has no way of know which user is making a
>>>> specific request since the requests are all associated with a single
>>>> session.
>>>>
>>>> Unfortunately there is no easy solution for session hijacking other than
>>>> training the users.
>>>>        
>>> If the browser side of the session is handled without cookies (the ID
>>> gets added to all page addresses), then multiple sessions is possible.
>>>      
>> So would disabling client side cookies solve this problem?
>>    
>
> No, SquirrelMail doesn't support non-cookie operation currently.  Sorry.
>
>  

> Paul Lesniewski wrote:
>>>>>>>> I'm currently using the retrieve user data plugin, version 0.9, to
>>>>>>>> automatically get the users information from LDAP. From time to time i'm
>>>>>>>> getting complaints from users that say that suddenly they have found
>>>>>>>> their webmail account information changed to match another users
>>>>>>>> information, like the full name and email address. I haven't been able
>>>>>>>> to find a pattern until today.
>>>>>>>>
>>>>>>>> Today i got another of those complaints, but the user referred that the
>>>>>>>> information that he got in his webmail account was from a friend that
>>>>>>>> shared the same workstation as him.
>>>>>>>>
>>>>>>>>
>>>>>>> This is a known issue in SquirrelMail.  The first user needs to log
>>>>>>> out before the second user logs in.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> I was wondering if anyone using this plugin has experienced this type of
>>>>>>>> behaviour. I also noticed that this plugin isn't maintained anymore, and
>>>>>>>> i was wondering if there was any alternative to provide this feature.
>>>>>>>>
>>>>>>>>
>>>>>>> It's nothing to do with the plugin; it's a limitation of using
>>>>>>> SquirrelMail in the same browser with more than one account.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> Hello Paul,
>>>>>>
>>>>>> Thank you for the prompt reply. I was wondering if there was anything
>>>>>> one could do to prevent this from happening, apart from educating the users.
>>>>>>
>>>>>> TIA,
>>>>>>
>>>>>> Hugo Monteiro.
>>>>>>
>>>>>>
>>>>> In my opinion this is not an issue specific to Squirrel Mail but to web
>>>>> based applications as a whole. This is the similar behavior that you
>>>>> see with sites like amazon.com. If user1 signs in to amazon.com and then
>>>>> navigates away from the site, amazon.com will remember the user
>>>>> information. If user2 then comes along and uses the same browser to
>>>>> access amazon.com, the site will still think user1 is accessing the site
>>>>> and display user1 information. What amazon.com does for this is provide
>>>>> a link under the user name with something like "Not user1? click here".
>>>>> (amazon.com does require re-authentication after some timeout period if
>>>>> a user tries to access account specific functions for the 'cached'
>>>>> account to protect against unauthorized access)
>>>>>
>>>>> The basic issue is the user info is stored on a session basis, and a
>>>>> single web browser instance can only have a single session with the web
>>>>> based application. When user2 comes along and signs in to the
>>>>> application, they in effect hijack the session. When user one goes back
>>>>> to access the application, they are now accessing it as user2.
>>>>>
>>>>> There is no way for the web application to let 2 users share a single
>>>>> session. The application has no way of know which user is making a
>>>>> specific request since the requests are all associated with a single
>>>>> session.
>>>>>
>>>>> Unfortunately there is no easy solution for session hijacking other than
>>>>> training the users.
>>>>>
>>>> If the browser side of the session is handled without cookies (the ID
>>>> gets added to all page addresses), then multiple sessions is possible.
>>>>
>>> So would disabling client side cookies solve this problem?
>>>
>>
>> No, SquirrelMail doesn't support non-cookie operation currently.  Sorry.
>>
>>
>
> Is there any plugin, or hack, to add that amazon like "not UserX? Click
> here." so the user can be sure it's not using someone elses session?