session error still sets task to "mail"

[paullckby]

When there is a session error, the task still gets set to "mail" or whatever the task was when the session expired. This causes plugins to be executed as though the user were still logged in.

To reproduce: log in. Delete all Roundcube cookies. Refresh the page and look at the $_SESSION.

[thomasb]

$_SESSION['task'] is irrelevant and only used internally.
Plugins are loaded before session validity is checked and this cannot be changed in general. What plugin hooks are you talking about? Please describe your concrete use case and what is going wrong.

[paullckby]

The gist of the plugin I've got is that it is supposed to run whenever the user is logged in. That is, whenever the user is NOT in the task 'login' or 'logout'.

So I've got in config/main.inc.php this:

$rcmail_config['plugins'] = array('foobar');

Then I have in plugins/foobar/foobar.php this:

<?php

class foobar extends rcube_plugin {
    function init() {
        $rcmail = rcmail::get_instance();

        if ($rcmail->task != 'login' && $rcmail->task != 'logout') {
            print_r($_SESSION);
        }
    }
}

?>

If the user is logged in, I expect to see it print the $_SESSION var, which I use to get the username and password to run in my plugin. If the user is NOT logged in, I expect it to print nothing.

In cases where the user explicitly logs out, the $_SESSION var gets erased and replaced with something that is pretty empty. However in the case of a session error that logs the user out automatically, the $rcmail->task variable is still set to whatever it was before it force logged out the user (e.g. 'mail' or 'settings') and the $_SESSION still indicates that the user is logged in, with all the username and password information still in it.

[alec]

But what does your plugin? As Thomas said, plugins are initialized before session validity check. Maybe we should provide some global hook which will be executed after the check (ca. line 213 of index.php file).

[paullckby]

I really feel as though the actions of my plugin are pretty irrelevant to the bigger problem that the task is being set incorrectly. In index.php, line 184, just after it sends a session error notification, it sets the task to 'login', but the plugin is not getting that. It's still getting what it would have been had there not been a session error.

But for the record, the plugin is one that initiates a jabber chat client. The chat client appears on any page that is not login or logout or an ajax call. So when a session error happens, my plugin still gets the wrong task and then you have a login screen with a chat window on it which is wrong.

[alec]

Replying to paullckby:

In index.php, line 184, just after it sends a session error notification, it sets the task to 'login', but the plugin is not getting that.

It's not getting that, because plugin's init() function is executed before that. Do you read our comments?

[alec]

Replying to alec:

Maybe we should provide some global hook which will be executed after the check (ca. line 213 of index.php file).

... or maybe a flag which will make that a plugin will be initialized after session check.

[alec]

Added 'ready' hook in [37030217]. Use it.