Brian Candler writes:
Personally, I would like sqwebmail to handle this better:
That makes three of us, at least. :)
if it gets a POST for a message when the session has expired, then it
gives you a login page but with the message in hidden form variables.
That would work, but would be less than ideal where you have a nearly
1M attachment and you're on dial-up.
If you login correctly, then the message is sent.
Automatically? Noooooooooooooooooooooooooooooooooo. Somebody wanders
away from their desk in the middle of composing mail (they shouldn't,
but sometimes there's an urgent call of nature). Malicious colleague sees
half-finished mail and amends it to insult the boss. Malicious colleague
sends mail, but the session has timed out. Real user returns, logs back
in and mail is sent.
OK, there's an error message about the unsent mail. But what if somebody
hangs on long enough to finish composing the mail and hurriedly clicks
send before dashing to the toilet. The click was made in a hurry and
didn't actually register but the user dashed off without checking that
the browser started to send. Malicious colleague comes along as before.
User returns, sees the error message. Assumes because it was a long mail
the session timed out and logs in quite happily.
I prefer my scheme of automatically saving to drafts (and only permitting
the first auto-save after a timeout to prevent replay attacks being used
to eat up your quota). Still problematic if you've written a 1M mail and
are on dial-up, but if it's a 1K mail and a 999K attachment opening the
draft is a lot less painful than having the attachment as hidden form data.
7 messages in net.sourceforge.lists.courier-sqwebmail[sqwebmail] Re: How do I change the l...
