Author Topic: Session management  (Read 607 times)

Offline abatie

  • Newbie
  • *
  • Posts: 2
Session management
« on: September 10, 2018, 02:46:15 PM »
I'm trying to build a script to handle indirect auto-login to Roundcube (i.e. a non-roundcube login page to handle some business logic); tshark shows sending the right request and cookies, but roundcube reports "session invalid or expired".  The only thing I can think of is that the session id is tied to an ip address?  Are there any other restrictions or associations with a session id that could be causing this?  Thanks...

Offline SKaero

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,517
    • http://SKaero.com/
Re: Session management
« Reply #1 on: September 10, 2018, 11:26:09 PM »
Roundcube has some protections regarding the login, look at the autologon plugin that comes with Roundcube that includes the changes to bypass those checks.

Offline abatie

  • Newbie
  • *
  • Posts: 2
Re: Session management
« Reply #2 on: September 11, 2018, 01:56:38 PM »
If the solution requires, modifying Roundcube, we're out of luck.  While what we're trying to do is legitimate, it's indistinguishable from a man-in-the-middle attack.  It sounds like we'll have to do a full proxy then...

Offline SKaero

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,517
    • http://SKaero.com/
Re: Session management
« Reply #3 on: September 11, 2018, 02:11:24 PM »
I wouldn't call a plugin modify Roundcube but if you don't have any access to make any changes you wont be able to remotely login.