Hi,
ok, here we are with the cookies.
just login page:
after login page load:
SQMSESSID
600f0903f14941db0d8d7a8a6b81b1ff
before regenerate:
SQMSESSID
600f0903f14941db0d8d7a8a6b81b1ff
i.e., before regenerate call, sessionid keeps the same.
second try:
(exit immed. after regernate)
after login page load:
SQMSESSID
080de59be5b358b9b0993b95cf3870f8
after regenerate:
SQMSESSID
7098cd4e23d8b90e0ad4d5dfdf2c186a
squirrelmail_language
de_DE
so, the regenerate alters sessionid despite of an valid login!
Third try
(exit imm. after sessio_write_close)
after login page load:
SQMSESSID
6a76ecbe957184ad7dc8563d0e950da4
after session_write_close():
SQMSESSID
0078fc5c6ed3a6faa756a85efed62358
squirrelmail_language
de_DE
key
KouVaayIPl81TQ%3D%3D
(that's just to verify the second try).
Hope this gets you further.
I will simply comment out the session_regenerate_id() call, as long as I
use PHP 4
Bye
Anders
squirrelmail_language
de_DE
Paul Lesniewski schrieb:
> On Thu, May 14, 2009 at 5:44 AM, Andreas Vogt <a_vogt@xxxxxxx> wrote:
>>
>> (SM 1.4.18, PHP 4.3.3)
>>
>> Hi,
>>
>> after updating to 1.4.18
>> all users are immediatley logged out afters login.
>> SM just asks the IMAP server for INBOX, then the SM logs out.
>>
>> I could break this issue down to
>> line 82 in src/redirect.php
>> session_regenerate_id();
>>
>> As stated in new redirect.php:
>> * NB: session_regenerate_id() was added in PHP 4.3.2 (and new session
>>
>> * cookie is only sent out in this call as of PHP 4.3.3), but PHP 4
>>
>> * is not vulnerable to session fixation problems in SquirrelMail
>>
>> Obviuosly, PHP 4.3.3. got some problems with
>> session_regenerate_id();
>
> Ugh, yes indeed it looks like it. Can you take snapshots of the
> SquirrelMail cookies in your browser for each step? --
>
> - after login page loads
> - just before the regenerate() call (put an exit; call before it)
> - just after the regenerate() call (put an exit; call after it)
> - after the session_write_close() call but before the
> header('Location') redirect
> (put an exit; call between the two) - should be around line 181
>
> It might also be helpful to see the contents of $_COOKIE under each of
> those steps.
>
>> I tried to disable line 82. After this, everything works great, but I
>> don't know, what security problems I will get now (beside of having PHP
>> 4.3.3 ;) )
>
> Probably none - it seems to be mostly a PHP 5 issue.
>
>> best regards and thank you for your great job!
>
> Thanks
>
> --
>
> Paul Lesniewski
> SquirrelMail Team
> Please support Open Source Software by donating to SquirrelMail!
> http://squirrelmail.org/donate_paul_lesniewski.php
>
> -
--
------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables
unlimited royalty-free distribution of the report engine
for externally facing server and web deployment.
http://p.sf.net/sfu/businessobjects
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
