7 messages in net.sourceforge.lists.courier-sqwebmail[sqwebmail] Re: How do I change the l...
FromSent OnAttachments
kennJul 27, 2005 12:12 pm 
Brian CandlerJul 28, 2005 1:25 am 
kennJul 28, 2005 5:34 am 
Paul L. AllenJul 28, 2005 10:29 am 
Brian CandlerJul 29, 2005 1:15 am 
Paul L. AllenJul 29, 2005 5:05 am 
George ShaunfieldJul 29, 2005 7:14 pm 
Actions with this message:
Paste this link in email or IM:
Paste this link in email or IM:
Atom feed for this thread
Paste this URL into your reader:
Subject:[sqwebmail] Re: How do I change the login timeout value?Actions...
From:Paul L. Allen (pl@softflare.com)
Date:Jul 28, 2005 10:29:31 am
List:net.sourceforge.lists.courier-sqwebmail

kenn writes:

But to answer your question, my users are complaining that by the time they fnish typing a lengthy email, sqwebmail has logged them out and they can't send it ....

./configure --help is your friend. However, increasing the timeouts decreases security when people leave their computer and forget to logout. The longer the timeout, the more chance of somebody coming along and doing something naughty.

I do wish sqewbmail could (perhaps as a configure-time option) have the ability to be a little more sensible about this. Like maybe saving the message to the drafts folder instead of sending it and warning the user that the message has been saved to the drafts folder. Obviously there is the possibility of somebody using a replay attack to repeatedly save drafts. So it would have to keep track of if the user deliberately logged out (an attempt to post a message in that situation would fail, as it does now) or if there was a timeout and then allow only the first message the user attempts to post after a timeout to be saved to drafts. If the message was posted by the real user that user can login again, get the message from drafts and send it. If the message was posted by a malicious person while the real user was not in front of the computer then the draft can be ignored (or inspected to find out just what sort of prank somebody was trying to play on you).

It's not perfect, because somebody could overflow your disk quota with an attachment (if you were already close to using your quota), but apart from that it seems reasonably safe (and if it's not Mr Sam will shortly explain in full detail why it's a security hole). I think this would be relatively easy to implement. If the user logs out, delete the sqwebmail-ip file (as currently done). If the user is timed out, rename sqwebmail-ip to sqwebmail-oldip. If the user logs in, delete sqwebmail-oldip if it exists. If the user attempts to post a message and sqwebmail-ip does not exist but sqwebmail-oldip does exist and the session token matches, then save that message in drafts, delete sqwebmail-oldip and then return a login page with the error that the session has timed out but the message you attempted to post was saved in drafts. If you wanted to get fancy you might apply soft and/or hard timeouts to how long sqwebmail-oldip would be honoured.

-- Paul Allen Softflare Support