Expired sessions in an active browser window do not redirect to login page

[brandond]

If the user resumes an active but expired session, interval JS functions will trigger 'server error' messages, but the user will not be redirected to a login page unless they perform a full page refresh.

An easy way to replicate this is to log in to Roundcube on a laptop and then close it for 15 minutes (or whatever your session lifetime is set to). After re-opening the laptop, the first check_for_recent poll will have its session killed for being expired, but no message will be displayed to the user. Subsequent polls will display a red 'Server Error 404' message triggered by the request token mismatch.

Ideally the expiry would be detected and handled by refreshing the page to the login prompt with the 'sessionerror' message displayed.

[brandond]

After looking at things a bit, it appears that the expired session is killed at source:trunk/roundcubemail/index.php#L144, which means that the test on line 153 will always fail and return a 404 error to the AJAX call.

Adding && !$_SESSION['temp'] to the test on line 153 seems to allow the expired session to fall through to the login redirect on line 169. I'm not sure if this subverts the intended security of the token check, but it does seem to resolve the issue.

With this change the 'expired session' warning only appears briefly before the user is redirected, and isn't shown on the login page. This may cause the user to wonder why the're back at a login screen... but it's a start.

[JohnDoh]

patch to fix this here ​http://trac.roundcube.net/ticket/1485952

[alec]

Fixed in [ccc80d1c].