On Monday 14 July 2003 16:29, Brian Candler wrote: > On Mon, Jul 14, 2003 at 04:13:46PM -0400, Jesse Guardiani wrote:
[...] > I'm not sure exactly what security risk you're alluding to. Sessions are > infinite if you tickle them at least once per timeout period, and what's > being suggested is that the user would have to re-authenticate, which would > effectively start a new session anyway. > > It's perhaps more of a confusion risk - accidentally sending a message you > wrote 4 weeks ago but forgot about - but if you just redisplayed the page > they were at, that wouldn't be so much of a problem. Still, I think I like the idea of a hard timeout so that any large sqwebmail-saved files can be deleted in a timely fashion, rather than hang around on the server indefinately. Keeps things nice and clean. > > > > if a login has expired, take the POST data and store > > > it all in a temporary field on the login screen. > > > > Yes, but then if the user just submitted a 10 Meg message he/she would > > have to transfer that message from the server to the browser and from the > > browser to the server before logging back in. This is why I suggest the > > sqwebmail-saved file. > > I doubt users actually *type* 10 megs of stuff though. If you are attaching > files, I guess that's another process - I really have not looked into how > sqwebmail builds up a 'draft' message whilst allowing you to attach things. It all gets sent via POST. Trust me: We want to store this stuff on the server rather than pass it back and forth between the server and the client. It's more efficient that way. Now I suppose the question is this: How the heck do we populate these forms using saved data? As far as I know, sqwebmail just isn't designed to accomodate that sort of thing. I think I'll have to examine the display functions for each page and modify the code accordingly. Does anyone have a better idea? Perhaps that template-engine redesign I mentioned a few weeks ago is in order... -- Jesse Guardiani, Systems Administrator WingNET Internet Services, P.O. Box 2605 // Cleveland, TN 37320-2605 423-559-LINK (v) 423-559-5145 (f) http://www.wingnet.net
