New sessions after login

[Ni@…]

Each time after successful login roundcube tries creates new session:

sess_regenerate_id();

You should remove it, because no info about login is saved there, or generate new session and then perform login routine!

[thomasb]

No, this is the intended behavior. The session ID you get when opening the login-form should be thrown away after the login succeeded for security reasons. If this does not work, there's something wrong with the session module of your PHP installation.

[treenet]

Correction. The problem is in the way regenerate works.
NP: Current code calls it rcube_sess_regenerate_id()

According to the PHP docs and enforced from PHP5, if session_id($newid) is called after session_start() or if session auto_start is enabled, session_id() will have no effect.

The result on rcmail is that the cookie is set to an invalid session ID (the newly generated one) which is unknown to PHP. This causes the login screen to bounce back infinitely without a reported error when a session already exists.

$RCMAIl->kill_session() which is now used only unsets the variables internal to the session, not the session itself. Which leaves the problem in place.

I've spent some time looking into all the alternatives here. .htaccess and ini_set changes to disable sessions do not work. Discarding regenerate kills the cookie and causes issues with server access so the initial request is not an option.

The only change which does work without side effects is to bypass the session_id() alteration inside regenerate. The security issues occur if data is left unwiped inside $_SESSION. Which is now a duty handled by rcmail::kill_session() not regenerate.

--- program/include/session.inc.orig 2009-06-15 11:05:06.000000000 +1200
+++ program/include/session.inc 2009-06-15 11:06:09.000000000 +1200
@@ -140,6 +140,8 @@

function rcube_sess_regenerate_id()
{

+ if(!isset($_SESSION)) {
+

$randval = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";

for ($random = "", $i=1; $i <= 32; $i++) {

@@ -153,7 +155,10 @@

rcube_sess_destroy(session_id());

session_id($random);

-
+ }
+ else {
+ $random = session_id();
+ }

$cookie = session_get_cookie_params();
$lifetime = $cookielifetime? ? time() + $cookielifetime? : 0;

[thomasb]

Sorry, but I can't find the problem here.

In rcube_sess_regenerate_id() first rcube_sess_destroy(session_id()) is called to delete the session record from the database. When calling session_id($random) the internal session ID is set to the new value and finally when the session data is saved again, this new ID will be used. To make sure the client get's the new session ID we finally call rcmail::setcookie(session_name(), $random, $lifetime).

This works fine on all my installations of RoundCube. If it doesn't for you, please let us know what version of PHP and what webserver software you use.