Tickets :: [#3282] logouts due to browser string changes.

6.0.0-git

2021-01-19

Summary	logouts due to browser string changes.
Queue	Horde Framework Packages
Queue Version	HEAD
Type	Enhancement
State	Resolved
Priority	1. Low
Owners
Requester	mike.ryan (at) tufts (dot) edu
Created	2006-01-17 (5481 days ago)
Due
Updated	2006-01-18 (5480 days ago)
Assigned
Resolved	2006-01-18 (5480 days ago)
Milestone
Patch	No

2006-01-18 05:14:40	Michael Slusarz	Comment #5 State ⇒ Resolved	Reply to this comment
Implemented in HEAD and 4.1.0.

2006-01-17 22:08:36	Chuck Hagenbuch	Comment #4 State ⇒ Accepted	Reply to this comment
sorry, thought that would be obvious Not so much, sorry... 2) add a config switch to turn off AUTH_REASON_BROWSER logouts, and presumably an explanation of why you'd want to. We'll add this, we already have a checkip switch, so it make sense to have this in parallel.

2006-01-17 21:41:06	mike (dot) ryan (at) tufts (dot) edu	Comment #3	Reply to this comment
sorry, thought that would be obvious: User-Agent string comparisons cause unnecessary logouts when confronted with real browser behavior. the request would be to mitigate that. two possible approaches: 1) make the comparisons smarter. this is probably a lot of work. 2) add a config switch to turn off AUTH_REASON_BROWSER logouts, and presumably an explanation of why you'd want to.

2006-01-17 21:19:30	Chuck Hagenbuch	Comment #2 State ⇒ Feedback	Reply to this comment
Is there a request in here somewhere?

2006-01-17 19:04:40	mike (dot) ryan (at) tufts (dot) edu	Comment #1 Type ⇒ Enhancement State ⇒ New Priority ⇒ 1. Low Summary ⇒ logouts due to browser string changes. Queue ⇒ Horde Framework Packages	Reply to this comment
we're using horde 3.0.5, imp 4.0.4, turba 2.0.4, and ingo 1.0.2 for webmail, and running into a variety of cases where users are logged out prematurely. we've tracked some of these to AUTH_REASON_BROWSER logouts -- there seem to be quite a few browsers out there that can change their User-Agent strings in the middle of a session. a few examples: 1) netscape 8 sometimes switches rendering engines in the middle of a session, and sends a different User-Agent string depending on which rendering engine it's using, e.g. "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Netscape/8.0.4" or "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20051012 Netscape/8.0.4". 2) safari appears to occasionally switch from a full User-Agent string such as "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/312.8 (KHTML, like Gecko) Safari/312.5" to "CFNetwork/1.1". 3) a browser identifying itself as "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; MSN 9.0;MSN 9.1; MSNbVZ02; MSNmen-us; MSNcOTH; MPLUS)" sometimes has an extra space before "MSN 9.0". 4) a browser identifying itself as "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; MSN 6.1; MSNbMSFT; MSNmen-us; MSNc11; v5m)" occasionally substitutes "MSNczz" for "MSNc11". i suspect we'll wind up turning off AUTH_REASON_BROWSER entirely -- trying to keep up with browser quirks of this sort seems like more trouble than it's worth.