[SM-USERS] Re: Twice Login / Double Login problem (and solution)

[Geoffrey van den Ouden]

Dear Jonathan,   I’ve conducted some more research on the subject and I am sorry that I’ve used the term ‘illegal token’. It wasn’t my intension to really indicate that an underscore is an illegal token by any URL-standard that is documented. I can however confirm that the underscore is changed into a ‘%5’ on the following client-systems: -          Windows system using Internet Explorer (any version) -          Windows system using Mozilla FireFox (any version) -          Linux system (tested on Slackware 10.0) using Mozilla FireFox (only tested with version 1.0.6)   The only client configuration that did work was Linux Slackware 10.0 using Konqueror.   I cannot confirm this problem is IIS related, since I haven’t been able to test this on a machine with apache. This is still something on my todo-list, but unfortunately that list is quite long (like who of us doesn’t have a long todo-list ;). We have not used the lockdown tool provided by Microsoft for IIS, since all our outgoing http traffic is going through a reverse Proxy, which has very good security-model that unfortunately is incompatible with the lockdown tool. The reverse Proxy however is not part of the issue because the problem also occurs without the reverse Proxy.   My statement for now is just that people having these problems, might want to check their URL for these kind of tokens and check if they are not being translated. I will try spending some time on narrowing the issue.   Greetings,   Geoff     From: Jonathan Angliss <[EMAIL PROTECTED]> Re: Twice Login / Double Login problem (and solution)   2005-08-16 21:44  -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1  Hello Geoffrey A. van den Ouden, On Tuesday, August 16, 2005, you wrote:  > I had this weird bug when using squirrelmail that when I first try > to login, I got an errormessage telling me the the user did not > exist. The second time the login did work. I really had no idea what > was causing this problem and I really tried almost everything that I > could find on this mailinglist.  > Yeah, i tried the session.auto_start = 1 in the PHP configuration and a > lot of other stuff, but it all didn"t work for me.  > Just today I finally noticed what the problem was. The url i"m using has > an underscore ( _ ) and when logging into squirrelmail users get > redirected from index.php to src/login.php. This redirect adjusts the > underscore to a "%5" in my url. Now when users try to log in, it doesn"t > work, the user/login is not recognized. But when they click on the link to > return to the loginpage, the URL is restored with the underscore in it. > When they then try to login again, their credentials are excepted.  > I"m using: > W2k3 - IIS 6.0 > PHP 4.4.0 > SM 1.4.5 > MS Exchange 2000 / hMailServer  > Just maybe there are more illegal tokens that are translated bij the > redirect of the index.php. I believe that this problem is platform and > webserver independent and I hope this is a useful hint for some of you out > there.  _ is not an illegal token I believe. In fact, it specifically mentions in RFC1738 that _ is allowed to appear within URLs without being encoded (see section 2.2.). In addition, I don"t believe we call a url encode on the redirect in src/login, src/redirect, or src/webmail so it"d suggest a deeper underlying issue. What browser are you testing with? Have you tried a different browser (ie, Firefox over IE)? Do you still get it? If so, have you tried checking your IIS setup to see if there might be something there? I know there is an application you can run on IIS to force a lock down making IIS a lot more strict in what it accepts/does, did you run it?  - -- Jonathan Angliss <[EMAIL PROTECTED]> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32)  iD8DBQFDAsCMK4PoFPj9H3MRAsa0AJ49fP1wV5gYWjKziihyXLE0hhihCgCgu/jK p/p9UFBgAh6DEJwJGZxr/zk= =gTOQ -----END PGP SIGNATURE-----