Autologon and "your session is invalid or expired"

[Omir]

I've made a customised version of the autologon plugin and all is working well except for one thing.

Every now and again the user is shown the roundcube login page with the message "your session is invalid or expired".

Ideally I don't want users to ever see this screen as they are already logged in to my main site. Is there a way to capture the session expired event and simply create a new session or something?

[jwartnic]

This is most likely due to timeout settings. You need to change the following file:

defaults.inc.php:


// Session lifetime in minutes
$config['session_lifetime'] = 30;


Like you, I have a similar autologon component integrated for my website. You should set the above parameter longer than your cookie timeout if you're using cookies, that way your website (if you're using it in that manner) times out before the mail.

Good luck.

-Jim

[Omir]

Thanks jwartnic that makes sense.

The only problem I can see is that if a user logs out of my site then they will still be "logged in" to roundcube is that cookie is still valid. So if someone different then logs into my site they may be able to access someone elses email.

I think I need to make my main site logout somehow kill the users roundcube session at the same time

[SKaero]

If you can read the Roundcube cookie you can unset it to log the user out of Roundcube. If you want to be more secure you could also remove the session Roundcube database.

[Omir]

Unfortunately the roundcube cookie is going to be a different domain.

I'm thinking I could have a php page which my logout project could securely call which would take a username and delete the session from the DB