We're currently using release 0.2b, but have been using 0.2a for a while. A few times in the last six months, we've had customers call in to say that when they open RoundCube from our webpage to check their e-mail, they're not taken to a login screen or to their e-mail--they see someone else's e-mail. That's a serious problem. Has anyone else seen this happen before? Whether or no, is there somewhere we can look to make changes? Thanks.
I'm quite sure the scenario happens if a user does not log out.
Check the following:
#1- login
#2- go within the same browser window to (f.e.) Google (http://www.google.com)
#3- now go in the same window to RoundCube again ...
You are not prompted with login screen ..., Right?
Well, sure. In that case, you see your e-mail right away because the browser presumably saves a cookie and takes you directly back to the mail. I'm speaking of someone on a different computer, in a different state, opening RoundCube and immediately seeing the e-mail of a different customer.
And you are sure that on that different computer no one before logged into RoundCube leaving a browser window open?
No, I don't know that at all. Let's say customer A in Albuquerque reads his mail, then navigates to Google in that same browser window. Customer B in Bakersfield clicks the RoundCube link from our website and sees Customer A's e-mail. As I said, it's only happened a couple of times.
My apologies for not knowing much about the software; I'm just starting to learn. I'm not the sysadmin, I'm just the one at the company who has the time to look into this right now.
And what if they have Roundcube bookmarked, does it still happen then? Maybe look into the code for the link on your webpage?
I've been using RC for well over a year with multiple users on multiple domains and haven't seen anything like this.
If it is what Rosali is thinking you could try turning down the session lifetime in config/main.inc.php
// session lifetime in minutes
$rcmail_config['session_lifetime'] = 10;