Hi to all.
I discovered a problem with the login, where after some logins and logouts,
every new Login-Attempt kicked me back to the login screen. Without any
mention of a problem in the logs. I searched the forum and found that some
users experienced similar problems.
After some debugging I found the weak point. The problem is, that the
sess_read and sess_write methods that are used during logout and also used
from the periodical mail checking process, are not "synchronized"
(thread-safe). So it is possible that the two events occur at the same time:
The events occur in the following order:
1. Logout calls sess_read
2. Periodical Mail Check calls sess_read
3. Logout calls sess_write (with $vars (temp|b:1))
4. Periodical Mail Check calls sess_write ($vars without temp)
Step 4 ("mail check") overwrites the Session-Parameters from Step 3
("logout"). The concrete problem in this case is the temp-Parameter. Next
login, session_start reads in the session parameter, where "temp" must be
true, to start a new session. Otherwise when ("temp" == false), roundcube
expects a valid session and tries to resume that session. (In index.php
$_SESSION['temp'] will be checked but fails.)
The only way a new login is possible, is to reset the cookies (restart IE
and delete cookies in Firefox).
>From my point of view, the session handlers (session_start(),
session_destroy() and session_regenerate_id()) must be atomic. So the
session handler must have exclusive access to the custom session methods in
session.inc.
Micha.
_______________________________________________
List info: http://lists.roundcube.net/dev/