Re: [SM-USERS] Problems with SM sessions via a proxy server?

Wed, 03 Aug 2005 10:54:02 -0700 

On 7/30/05, Rafael Martinez <[EMAIL PROTECTED]> wrote:
> On Fri, 2005-07-29 at 17:23 -0700, David Rees wrote:
> > On 7/29/05, Rafael Martinez Guerrero <[EMAIL PROTECTED]> wrote:
> > >
> > > We already run SM under https/SSL all the way, all the time and the  web
> > > server sets these headers:
> >
> > Hmm, so it's definitely not a proxy issue.  My next guess is that
> > there is a bug with the way PHP handles sessions.  What version of PHP
> > are you running?
> 
> We are running apache-1.3.33 and PHP-4.3.11.
> 
> Are you sure?, I think this could be a proxy
> misconfiguration/bug/problem where the sessionID of one user was
> assigned to the other one (the two users where using the same proxy).

If you're running SM under https/SSL, there is no way for the proxy to
mix up your requests, if using https through a proxy, the proxy will
simply connect through, it can't read any of the request data such as
request headers or response headers.

You can guarantee that any data received via SSL has been untouched by
any proxy, otherwise you've just found a way to break SSL.

> I do not have data to corroborate this but it should not be any
> different between a proxy and a normal computer. And the problem of two
> users logging in from the same computer/browser was fixed some time ago,
> or isn't?

SM uses session cookies to maintain login state.  That means you need
to maintain one session cookie per SM login session.  If somehow a
different user got the same SM session cookie, they would then be able
hijack the original user's SM session and view their email.

For example, when I start a SM session, I get a session cookie set
with the name SQMSESSID and hex string 32 chars long which is randomly
generated.  If someone gets that 32 char hex string, they can hijack
my SM session.

I am not a SM developer so I'm not sure whether session cookies are
generated in SM or using a built-in PHP function to do so, but I would
assume the latter.  I don't know if there are any bugs in PHP's
session generating function, but it can't hurt to make sure you're
running the latest version of PHP.

-Dave


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
--
squirrelmail-users mailing list
Posting Guidelines: 
http://squirrelmail.org/wiki/wiki.php?MailingListPostingGuidelines
List Address: [email protected]
List Archives: 
http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user
List Archives:  http://sourceforge.net/mailarchive/forum.php?forum_id)95
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users

Reply via email to