> Here is our sessions table in mysql : ... > User information is mixing on different machines for users with apparently > no connection other than they are our customers. This issue is happening > more and more and is starting to become a real problem/security risk for > our users. Can anyone provide a basic flow description of how and when > squirrelmail populates personal information and/or gets information to > send with outgoing mail? Specifically where user data is stored/retrieved > from when logging in etc? For example, when sending outgoing mail does > squirrelmail retrieve the from address from the longtext field from the > mysql sessions > table or is that kept in the user's local memory.
-Create new connection to squirrelmail, -Find record that is created in SQL -Close browser with SquirrelMail (don't do Logout thing) -Check if session record is still present -Check if record disappears after 25 minutes (standard session.gc_maxlifetime) It is possible that your mysql session routines does not check expiry value or your setup requires to clean older session records manually or keys are not random/unique. Check "SELECT value FROM sessions_table WHERE sesskey = some-id AND expiry > some-unixtime-value" queries in MySQL log. Maybe you have some wrong time value there. I think, SquirrelMail does not use SQL to store session information. You are talking in the wrong list. Talk to people that wrote sql session functions. Make sure that you have patched every sm file, that uses session functions. > How does squirrlemail know what the from address if the person has not > set any userprefs? 1. email = email set in selected id. function gets it from user prefs 2. email = email set in personal info. function gets it from user prefs 3. if $username looks like email ([EMAIL PROTECTED]), email=$username 4. else email = [EMAIL PROTECTED] $username is provided by user when he logs in. $domain is set in squirrelmail settings. -- Tomas ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click -- squirrelmail-users mailing list List Address: [EMAIL PROTECTED] List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
