possible SQMSESSID, account merging bug

Greetings,

Not sure if I should enter a tracker bug for this, seeing as how it may
have been addressed in the past.

Customers have reported that some of their account details get 'merged'
into another account that they typically use from the same workstation.
Specifically, the name and email address prefs get copied from one
account and actually saved into the preferences of another.

I'm not able to reproduce this exact behavior, but seeing as how the
SQMSESSID doesn't seem to change between login/logout, it's easy to see
how this could happen under certain circumstances.

It seems that new session IDs are not generated, and the attempts by
squirrelmail to remove the SQMSESSID cookie by setting the date to Thu,
01-Jan-1970 00:00:01 GMT doesn't seem to remove all instances of the cookie.

The problem seems very similar to this:

http://www.linux-archive.org/centos/232460-squirrelmail-sending-under-wrong-username.html


Squirrelmail Version = 1.4.17. Also problem appears in 1.4.18-svn (13411).
plugins = none. just defaults.
php version = 4.3.10 (problem also appears with 5.2)
web server = apache 2.0.54
imap server = dovecot 1.0
smtp server = postfix 2.1.5
browser = firefox 3.0.5

Differences in install: Squirrelmail is in subdir instead of docroot.

In the test cases detailed below, we have r13411 of stable branch in
/webmail-test/, but the latest stable release (1.4.17) has the exact
same behavior.

src/configtest.php displays no warnings or errors.


If I hit src/login.php without having any cookies sent, Squirrelmail
sends 4 Set-Cookie headers:

Set-Cookie: SQMSESSID=f7714943ee06d0c828b19b901f5bbaa9; secure
Set-Cookie: SQMSESSID=f7714943ee06d0c828b19b901f5bbaa9; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly

According to Firefox Web developer plugin, this results in 2 cookies
being set:

Name    SQMSESSID
Value    eb5b3ed9d88a9a43d95a4a97958190c0
Host    mail.voyageurweb.com
Path    /webmail-test/
Secure    Yes
Expires    At End Of Session

Name    SQMSESSID
Value    f7714943ee06d0c828b19b901f5bbaa9
Host    mail.voyageurweb.com
Path    /webmail-test/src/
Secure    Yes
Expires    At End Of Session

Upon loggin in, (POST to /src/redirect.php), my browser sends the
following cookies:
Cookie: SQMSESSID=f7714943ee06d0c828b19b901f5bbaa9;
SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0

I get a 302 redirect response, with the following Set-Cookie headers:

Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: squirrelmail_language=en_US; expires=Sat, 04-Apr-2009
17:41:10 GMT; path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: key=Q8EoIRw%3D; path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly

Subsequent page access while logged in all have multiple Set-Cookie headers.

/src/compose.php sends theese:

Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly

/src/addressbook.php sends these:
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly

/src/signout.php sends these:
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; expires=Thu,
01-Jan-1970 00:00:01 GMT; path=/webmail-test/; secure; HttpOnly
Set-Cookie: key=SQMTRASH; expires=Thu, 01-Jan-1970 00:00:01 GMT;
path=/webmail-test/; secure; HttpOnly

At this point, Firefox Web developer shows that I have two cookies:
Name    SQMSESSID
Value    eb5b3ed9d88a9a43d95a4a97958190c0
Host    mail.voyageurweb.com
Path    /webmail-test/src/
Secure    Yes
Expires    At End Of Session

Name    squirrelmail_language
Value    deleted
Host    mail.voyageurweb.com
Path    /webmail-test/
Secure    Yes
Expires    Sat, 04 Apr 2009 17:41:49 GMT

If I go to login.php, my browser sends this:
Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
squirrelmail_language=deleted

And I get these headers in the response:
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0; expires=Thu,
01-Jan-1970 00:00:01 GMT; path=/webmail-test/; secure; HttpOnly
Set-Cookie: SQMSESSID=eb5b3ed9d88a9a43d95a4a97958190c0;
path=/webmail-test/; secure; HttpOnly

Firefox web developer plugin shows I still have these cookies:
Name    SQMSESSID
Value    eb5b3ed9d88a9a43d95a4a97958190c0
Host    mail.voyageurweb.com
Path    /webmail-test/
Secure    Yes
Expires    At End Of Session

Name    SQMSESSID
Value    eb5b3ed9d88a9a43d95a4a97958190c0
Host    mail.voyageurweb.com
Path    /webmail-test/src/
Secure    Yes
Expires    At End Of Session

Name    squirrelmail_language
Value    deleted
Host    mail.voyageurweb.com
Path    /webmail-test/
Secure    Yes
Expires    Sat, 04 Apr 2009 17:41:49 GMT


--
John Workman
VoyageurWeb Engineering
P.O. Box 205 Mankato, MN 56002-0205
(507) 344-2280
http://www.voyageurweb.com


------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel

On Thu, Mar 5, 2009 at 10:48 AM, John Workman <johnw@...> wrote:
> Greetings,
>
> Not sure if I should enter a tracker bug for this, seeing as how it may
> have been addressed in the past.
>
> Customers have reported that some of their account details get 'merged'
> into another account that they typically use from the same workstation.
> Specifically, the name and email address prefs get copied from one
> account and actually saved into the preferences of another.

This is a known issue that is for now (as long as SM uses cookie-based
sessions).  The use case that can reproduce it is to log in to one
account, then in another tab of the SAME browser window, log into
another account on the same server, NOT having logged out of the first
account.  The only way to avoid the problem is to use separate
browsers for each account or make sure users log out of one account
before using the next.

If you think this is related to any session ID/cookie problems, please
show proof.  We really appreciate all the details that follow, but the
problem as explained above is not really going to be fixed until we
accommodate non-cookie session management.

------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel