Roundcube Community Forum

 

Possible login bug

Started by dwkd, October 03, 2011, 01:14:01 PM

Previous topic - Next topic

dwkd

Hi guys,
I'm running roundcube on my red hat server and I've been encountering (what I think it is) a strange and possibly exploitable bug.
After reading my email through a landline connection, I tend to close my laptop and it goes to stand by mode.
As soon as I open it right back and automatically re-connect to the router DHCP gives me another random ip and i get this "Invalid Session...." or something like that, I can'r really remember exactly, but it's in RED and it's an error. It then redirects me to the login window that looks something like this picture i found http://doc.zentyal.org/en/_images/roundcube-login.png
Here comes the weird part.
In order to re-login I'd normally have to type the email and password, right? well one day as I typed by mistake i forgot to put the password and after I typed in the email address it logged me in with the password field left blank. I repeated this at least 10 times throughout the last 6 months so I know it's not a coincidence.

This sounds to me like a big deal so I hope it helps better my fav email software


:cool:

peace

PS
I hope it's not something that is already being looked at, but I did check the pending and solved bugs and it doesn't seem to be mentioned.

dwkd

it just did it again
the error message i got when i was redirected to the login page is "Session is invalid or expired"
and then I was able to login with my username and the password field blank

athoomi


dwkd

I haven't changed any of the preferences so I can't tell you.
As soon as someone determines the issue maybe they can establish if it has anything to do with the preferences being changed or not.

dwkd

I got this thing again and this time I decided to not even type the username and just hit "log in" with both fields blank.
It went through even with both fields empty so I'm guessing the problem is being wrongfully redirected to this login page in the first place when in fact I was still logged in and the only thing it needed was the session to be reinitiated.
that's my guess
maybe some RC developer can weigh in or something ...