"
On Sat, Apr 26, 2014 at 4:25 AM, Ian Evans <dheianevans@xxxxxxxxx> wrote:
> On Sat, Apr 26, 2014 at 2:03 AM, Paul Lesniewski <paul@xxxxxxxxxxxxxxxx>
> wrote:
>>
>> On Fri, Apr 25, 2014 at 5:03 PM, Ian Evans <dheianevans@xxxxxxxxx> wrote:
>> > On Wed, Apr 23, 2014 at 6:14 PM, Paul Lesniewski <paul@xxxxxxxxxxxxxxxx>
>> > wrote:
>> >>
>> >> On Thu, Apr 17, 2014 at 10:53 AM, Ian Evans <dheianevans@xxxxxxxxx>
>> >> wrote:
>> >> > Hi there,
>> >> >
>> >> > Here's what happens: I delete a few messages then click on the purge
>> >> > link
>> >> > in the menu sidebar. The sidebar menu frame disappears and is
>> >> > replaced
>> >> > with
>> >> > a message saying "This page request could not be verified and appears
>> >> > to
>> >> > have expired" and a link to go to the login page.
>> >>
>> >> Do you have the folder list set to refresh itself? Sounds like you
>> >> might not and the security token in that page has expired.
>> >
>> > Just to update you. The folder refresh was at 10 minutes. I took it down
>> > to
>> > 1 minute, but I'm still seeing the security token message.
>>
>> How recent was your download? Did you apply any patches, etc? Does
>> it work if you disable security tokens (not recommended as a long term
>> solution)? Do other actions succeed (all form submits, such as
>> preference pages and message composition should send a security
>> token)? Please try without any plugins activated.
>>
>> What is the full link target URL for the purge trash link? If the
>> problem persists and especially if only this link is causing the
>> problem, you'll probably have to do some sleuthing on your system,
>> since I don't think anyone has ever seen this before.
>
> I dlownloaded it a couple of weeks ago. No patches.
>
> Where do I change security tokens? In squirrelmail-configure?
Yes ("Disable secure forms")
> And is it much
> of an issue disabling it if there's only two of us in the company?
Number of people is not very relevant (although the savvy of said
users might be). It makes your installation vulnerable to CSRF
attacks. You might at least try enabling referrer checks if you do
this.
> The trash purge link is
> https://www.example.com/squirrelmail/src/empty_trash.php?smtoken=cgbvXEN66stI
Looks fine. Is the problem reproducible - can you log out, log back
in, click on purge and get the error? Is the date/time/time zone set
correctly on the server?
You can look at what PHP thinks is the current time and the tokens
SquirrelMail has in memory by going into functions/strings.php, on
about line 1441, you should see:
$tokens = sm_get_user_security_tokens(FALSE);
After that line, add this:
sm_print_r('Current Time: ' . time(), $tokens);
You can just compare the numbers themselves, but if you want to
convert them into dates, you can use one of many sites such as
epochconverter [dot] com
--
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php
------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
