Skip to Content.
Sympa Menu

en - Re: [sympa-users] Sympa Session breaks

Subject: The mailing list for listmasters using Sympa

List archive

Chronological Thread  
  • From: Peter DiCamillo <address@concealed>
  • To: address@concealed
  • Cc: Serge Aumont <address@concealed>, "Lorenz, Sabine" <address@concealed>
  • Subject: Re: [sympa-users] Sympa Session breaks
  • Date: Fri, 17 Jul 2009 03:43:23 -0400

Serge Aumont wrote:
Lorenz, Sabine wrote:
Hello,

we upgraded from Sympa version 5.3.3 to version 5.4.7 two weeks ago.

After the update we had the following problem: List-owners who logged in via the web-interface and did some action
where logged off automatically.
The entry in the sympa log was "SympaSession::new ignoring session cookie because remote host is not
the original host"
To solve this problem I installed patch 5142
http://sourcesup.cru.fr/cgi/viewvc.cgi/trunk/wwsympa/SympaSession.pm?r1=
5107&r2=5142 and this error didn't appear any more.
Now I found out that there still appears a similar error.
The session of some list-owners break when they do a certain action.
The sympa log entries are the following:
Sympa renew the session id (used as client cookie) after each access so
session hijacking is match more difficult. If the client access a page
and renew it before to receive the new cookie value, the session is
broken. You can verify this just reloading a page very quickly.

In order to limit this problem without introducing a security hole,
Sympa does not renew the session id if https is used. You should used
https this will solve this problem.
See : http://en.wikipedia.org/wiki/Session_hijacking#Prevention

Serge


I'm also using 5.4.7, and I have a list with private archives. The archives work fine for most messages. However, there is a problem where the session breaks if the message in the archive is in HTML, and the HTML references images included as attachments. In that case, the images don't display, and my session is broken. I always have to authenticate again after viewing a message like that.

I'm not certain about this, but it appears that the session needs to be renewed in order to access each image attachment, but that's not being done. The images don't display because access to them is not allowed, and then I'm no longer authenticated.

It seems to make no difference if I use http or https, and I normally use https.

Having this work would be useful for our site, and I would be grateful for any solutions.

Peter




Archive powered by MHonArc 2.6.19+.

Top of Page