On Fri, 8 Sep 2006, Thomas Bruederli wrote:
What's this discussion all about? RoundCube has a session timeout for
security reasons, which can be turned off by configuration. Please, no
more discussion about advantages and disadvantages of session timeouts
or about intelligent and stupid users!
How can it be turned off? I remember you saying that
$rcmail_config['session_lifetime'] = false disables it, but someone some
doubts about that.
A session failure could occur if a request (like draft saving [btw. yes,
we already have an automatic draft saving mechanism!]) takes a lot of
time. In that case, the cookie could be switched to a new value but the
HTTP header has not been sent to the client yet. If the keep-alive
request is sent in the meantime, it arrives with the "old" cookie value
which will cause RoundCube to deny the request and send a redirect to
the login screen.
Besides the draft saving, could this also happen when deleting lots of
mails, one at a time? Like hitting constantly the delete botton?
With revision 338 I added some fall back for checking this changing
session cookie. There's also a log file (log/timeouts) that will be
filled with $_REQUEST and $_SESSION values if the session authorization
(not session timeout) fails.
Just updated and configured the main.inc.php. I'll test it and send feed
back.
--
21:50:04 up 2 days, 9:07, 0 users, load average: 0.92, 0.37, 0.18
---------------------------------------------------------
Lic. Martín Marqués | SELECT 'mmarques' ||
Centro de Telemática | '@' || 'unl.edu.ar';
Universidad Nacional | DBA, Programador,
del Litoral | Administrador
---------------------------------------------------------
