« Return to Thread: possible SQMSESSID, account merging bug
possible SQMSESSID, account merging bug
by John Workman
::
Rate this Message:
Greetings,
Not sure if I should enter a tracker bug for this, seeing as how it may
have been addressed in the past.
Customers have reported that some of their account details get 'merged'
into another account that they typically use from the same workstation.
Specifically, the name and email address prefs get copied from one
account and actually saved into the preferences of another.
I'm not able to reproduce this exact behavior, but seeing as how the
SQMSESSID doesn't seem to change between login/logout, it's easy to see
how this could happen under certain circumstances.
It seems that new session IDs are not generated, and the attempts by
squirrelmail to remove the SQMSESSID cookie by setting the date to Thu,
01-Jan-1970 00:00:01 GMT doesn't seem to remove all instances of the cookie.
The problem seems very similar to this:
http://www.linux-archive.org/centos/232460-squirrelmail-sending-under-wrong-username.html
Squirrelmail Version = 1.4.17. Also problem appears in 1.4.18-svn (13411).
plugins = none. just defaults.
php version = 4.3.10 (problem also appears with 5.2)
web server = apache 2.0.54
imap server = dovecot 1.0
smtp server = postfix 2.1.5
browser = firefox 3.0.5
Differences in install: Squirrelmail is in subdir instead of docroot.
In the test cases detailed below, we have r13411 of stable branch in
/webmail-test/, but the latest stable release (1.4.17) has the exact
same behavior.
src/configtest.php displays no warnings or errors.
If I hit src/login.php without having any cookies sent, Squirrelmail
sends 4 Set-Cookie headers:
Set-Cookie: SQMSESSID=f7714943ee06d0c828b19b901f5bbaa9; secure
Set-Cookie: SQMSESSID=f7714943ee06d0c828b19b901f5bbaa9; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
According to Firefox Web developer plugin, this results in 2 cookies
being set:
Name SQMSESSID
Value eb5b3ed9d88a9a43d95a4a97958190c0
Host mail.voyageurweb.com
Path /webmail-test/
Secure Yes
Expires At End Of Session
Name SQMSESSID
Value f7714943ee06d0c828b19b901f5bbaa9
Host mail.voyageurweb.com
Path /webmail-test/src/
Secure Yes
Expires At End Of Session
Upon loggin in, (POST to /src/redirect.php), my browser sends the
following cookies:
Cookie: SQMSESSID=f7714943ee06d0c828b19b901f5bbaa9;
SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0
I get a 302 redirect response, with the following Set-Cookie headers:
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: squirrelmail_language=en_US; expires=Sat, 04-Apr-2009
17:41:10 GMT; path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: key=Q8EoIRw%3D; path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Subsequent page access while logged in all have multiple Set-Cookie headers.
/src/compose.php sends theese:
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
/src/addressbook.php sends these:
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly
/src/signout.php sends these:
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; expires=Thu,
01-Jan-1970 00:00:01 GMT; path=/webmail-test/; secure; HttpOnly
Set-Cookie: key=SQMTRASH; expires=Thu, 01-Jan-1970 00:00:01 GMT;
path=/webmail-test/; secure; HttpOnly
At this point, Firefox Web developer shows that I have two cookies:
Name SQMSESSID
Value eb5b3ed9d88a9a43d95a4a97958190c0
Host mail.voyageurweb.com
Path /webmail-test/src/
Secure Yes
Expires At End Of Session
Name squirrelmail_language
Value deleted
Host mail.voyageurweb.com
Path /webmail-test/
Secure Yes
Expires Sat, 04 Apr 2009 17:41:49 GMT
If I go to login.php, my browser sends this:
Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
squirrelmail_language=deleted
And I get these headers in the response:
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; expires=Thu,
01-Jan-1970 00:00:01 GMT; path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Firefox web developer plugin shows I still have these cookies:
Name SQMSESSID
Value eb5b3ed9d88a9a43d95a4a97958190c0
Host mail.voyageurweb.com
Path /webmail-test/
Secure Yes
Expires At End Of Session
Name SQMSESSID
Value eb5b3ed9d88a9a43d95a4a97958190c0
Host mail.voyageurweb.com
Path /webmail-test/src/
Secure Yes
Expires At End Of Session
Name squirrelmail_language
Value deleted
Host mail.voyageurweb.com
Path /webmail-test/
Secure Yes
Expires Sat, 04 Apr 2009 17:41:49 GMT
--
John Workman
VoyageurWeb Engineering
P.O. Box 205 Mankato, MN 56002-0205
(507) 344-2280
http://www.voyageurweb.com
------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel
Not sure if I should enter a tracker bug for this, seeing as how it may
have been addressed in the past.
Customers have reported that some of their account details get 'merged'
into another account that they typically use from the same workstation.
Specifically, the name and email address prefs get copied from one
account and actually saved into the preferences of another.
I'm not able to reproduce this exact behavior, but seeing as how the
SQMSESSID doesn't seem to change between login/logout, it's easy to see
how this could happen under certain circumstances.
It seems that new session IDs are not generated, and the attempts by
squirrelmail to remove the SQMSESSID cookie by setting the date to Thu,
01-Jan-1970 00:00:01 GMT doesn't seem to remove all instances of the cookie.
The problem seems very similar to this:
http://www.linux-archive.org/centos/232460-squirrelmail-sending-under-wrong-username.html
Squirrelmail Version = 1.4.17. Also problem appears in 1.4.18-svn (13411).
plugins = none. just defaults.
php version = 4.3.10 (problem also appears with 5.2)
web server = apache 2.0.54
imap server = dovecot 1.0
smtp server = postfix 2.1.5
browser = firefox 3.0.5
Differences in install: Squirrelmail is in subdir instead of docroot.
In the test cases detailed below, we have r13411 of stable branch in
/webmail-test/, but the latest stable release (1.4.17) has the exact
same behavior.
src/configtest.php displays no warnings or errors.
If I hit src/login.php without having any cookies sent, Squirrelmail
sends 4 Set-Cookie headers:
Set-Cookie: SQMSESSID=f7714943ee06d0c828b19b901f5bbaa9; secure
Set-Cookie: SQMSESSID=f7714943ee06d0c828b19b901f5bbaa9; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
According to Firefox Web developer plugin, this results in 2 cookies
being set:
Name SQMSESSID
Value eb5b3ed9d88a9a43d95a4a97958190c0
Host mail.voyageurweb.com
Path /webmail-test/
Secure Yes
Expires At End Of Session
Name SQMSESSID
Value f7714943ee06d0c828b19b901f5bbaa9
Host mail.voyageurweb.com
Path /webmail-test/src/
Secure Yes
Expires At End Of Session
Upon loggin in, (POST to /src/redirect.php), my browser sends the
following cookies:
Cookie: SQMSESSID=f7714943ee06d0c828b19b901f5bbaa9;
SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0
I get a 302 redirect response, with the following Set-Cookie headers:
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: squirrelmail_language=en_US; expires=Sat, 04-Apr-2009
17:41:10 GMT; path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: key=Q8EoIRw%3D; path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Subsequent page access while logged in all have multiple Set-Cookie headers.
/src/compose.php sends theese:
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
/src/addressbook.php sends these:
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly
/src/signout.php sends these:
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; expires=Thu,
01-Jan-1970 00:00:01 GMT; path=/webmail-test/; secure; HttpOnly
Set-Cookie: key=SQMTRASH; expires=Thu, 01-Jan-1970 00:00:01 GMT;
path=/webmail-test/; secure; HttpOnly
At this point, Firefox Web developer shows that I have two cookies:
Name SQMSESSID
Value eb5b3ed9d88a9a43d95a4a97958190c0
Host mail.voyageurweb.com
Path /webmail-test/src/
Secure Yes
Expires At End Of Session
Name squirrelmail_language
Value deleted
Host mail.voyageurweb.com
Path /webmail-test/
Secure Yes
Expires Sat, 04 Apr 2009 17:41:49 GMT
If I go to login.php, my browser sends this:
Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
squirrelmail_language=deleted
And I get these headers in the response:
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; expires=Thu,
01-Jan-1970 00:00:01 GMT; path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Firefox web developer plugin shows I still have these cookies:
Name SQMSESSID
Value eb5b3ed9d88a9a43d95a4a97958190c0
Host mail.voyageurweb.com
Path /webmail-test/
Secure Yes
Expires At End Of Session
Name SQMSESSID
Value eb5b3ed9d88a9a43d95a4a97958190c0
Host mail.voyageurweb.com
Path /webmail-test/src/
Secure Yes
Expires At End Of Session
Name squirrelmail_language
Value deleted
Host mail.voyageurweb.com
Path /webmail-test/
Secure Yes
Expires Sat, 04 Apr 2009 17:41:49 GMT
--
John Workman
VoyageurWeb Engineering
P.O. Box 205 Mankato, MN 56002-0205
(507) 344-2280
http://www.voyageurweb.com
------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel
« Return to Thread: possible SQMSESSID, account merging bug
| Free embeddable forum powered by Nabble | Forum Help |
