Session Timeout - Confused About the Fix

[Cutsie]

Hi, I read the other thread and the ticket on the session timeout problem (where you're composing a message and the blasted thing suddenly logs you out for no good reason), but I am confused as to what the fix to it is?

I want to stay logged in until I tell it to log me out. I use multiple accounts and some sessions are quick, as there is no new mail to read or write, but some are long because I need to write mail.

The http://trac.roundcube.net/trac.cgi/ticket/1483951 ticket says:

This bug is fixed in the current SVN version. It remains in the bet but please not reopen it because of that.

You can set $rcmail_config['session_lifetime'] = 0; to prevent timeouts.

Do I just need to set the session lifetime to 0 to have it keep me logged in until I log out (and is that secure in that nobody could get into it?)? Or do I have to download some files from the SVN area?  

Thanks!

[microUgly]

I think you should be able to just set that var. I've just done it and seems to be working so far.

Is it less secure? Technically, yes. For one, it means if someone can access your PC they can access your e-mail. Otherwise I think it's pretty safe.

Weeeee....

[Cutsie]

Thanks for your reply! I hope that fix will work for me, as well. I've lost several e-mails in full or part due to the problem even though I never changed the setting from the default 60!

I guess I won't be checking that e-mail on a public computer, is all! Or I'll have to remember to delete the cookie - that will make it secure again, correct? I don't normally use public computers, anyway.

Speaking of the cookie - I couldn't find it in my Cookies folder while I was logged in the other day. It was not under my site's name. Does it use a certain RoundCube cookie name instead?

[zyzzyvas]

I think you should be able to just set that var. I've just done it and seems to be working so far.

Is it less secure? Technically, yes. For one, it means if someone can access your PC they can access your e-mail. Otherwise I think it's pretty safe.

I don't really see a big security issue. As far as I can tell, setting the session lifetime to 0 just means that if you don't close your browser (or explicitly click "logout" in RC), you would stay logged in. In other words, this is only really a problem if you log in and then walk away from the computer.

As long as you logout/close (common sense in any public setting), you should be fine. Unless I'm missing something?

Kris

[Cutsie]

That's what my thinking was, too, but on the other thread (I think it is on the second page of this forum) ppl were talking about how even if you logged out, there was a security issue. So I dunno!

[zyzzyvas]

That's what my thinking was, too, but on the other thread (I think it is on the second page of this forum) ppl were talking about how even if you logged out, there was a security issue. So I dunno!

I looked at the other thread but I still don't think there is a problem. The only way there can be a problem is if you either:

a) leave the browser open without logging out of RC, OR
b) have your browser set not to expire cookies when it is closed (a bad idea in general!)

"b" is a legitimate concern if the roundcube installation will be used by tons of people out of your control. But if it's for your own use, just remember to logout from RC and to set your browser to expire cookies on exit (in case you forget to logout before closing) and it should be fine.

Kris

[Cutsie]

Arrgh!!! It logged me out again - even with the "fix" of setting the timeout to 0!  

Somebody help!!!

[microUgly]

You said your default value was 60. I only just installed RC and the default was 10. Maybe there is a newer version you can upgrade to?

[Cutsie]

I have the 1.0-beta2. I only just installed it in January or February.

[Cutsie]

It is working now. I must not have closed my browser when I tried it before.  

I was just able to write a whole e-mail without the thing kicking me out - through at least two autosaves, even!