6.0.0-git
2021-01-19

[#3282] logouts due to browser string changes.
Summary logouts due to browser string changes.
Queue Horde Framework Packages
Queue Version HEAD
Type Enhancement
State Resolved
Priority 1. Low
Owners
Requester mike.ryan (at) tufts (dot) edu
Created 2006-01-17 (5481 days ago)
Due
Updated 2006-01-18 (5480 days ago)
Assigned
Resolved 2006-01-18 (5480 days ago)
Milestone
Patch No

History
2006-01-18 05:14:40 Michael Slusarz Comment #5
State ⇒ Resolved
Reply to this comment
Implemented in HEAD and 4.1.0.
2006-01-17 22:08:36 Chuck Hagenbuch Comment #4
State ⇒ Accepted
Reply to this comment
sorry, thought that would be obvious
Not so much, sorry...
2) add a config switch to turn off AUTH_REASON_BROWSER logouts, and
presumably an explanation of why you'd want to.
We'll add this, we already have a checkip switch, so it make sense to 
have this in parallel.
2006-01-17 21:41:06 mike (dot) ryan (at) tufts (dot) edu Comment #3 Reply to this comment
sorry, thought that would be obvious: User-Agent string comparisons 
cause unnecessary logouts when confronted with real browser behavior.   
the request would be to mitigate that.



two possible approaches:



1) make the comparisons smarter.  this is probably a lot of work.



2) add a config switch to turn off AUTH_REASON_BROWSER logouts, and 
presumably an explanation of why you'd want to.
2006-01-17 21:19:30 Chuck Hagenbuch Comment #2
State ⇒ Feedback
Reply to this comment
Is there a request in here somewhere?
2006-01-17 19:04:40 mike (dot) ryan (at) tufts (dot) edu Comment #1
Type ⇒ Enhancement
State ⇒ New
Priority ⇒ 1. Low
Summary ⇒ logouts due to browser string changes.
Queue ⇒ Horde Framework Packages
Reply to this comment
we're using horde 3.0.5, imp 4.0.4, turba 2.0.4, and ingo 1.0.2 for 
webmail, and running into a variety of cases where users are logged 
out prematurely.



we've tracked some of these to AUTH_REASON_BROWSER logouts -- there 
seem to be quite a few browsers out there that can change their 
User-Agent strings in the middle of a session.  a few examples:



1) netscape 8 sometimes switches rendering engines in the middle of a 
session, and sends a different User-Agent string depending on which 
rendering engine it's using, e.g. "Mozilla/4.0 (compatible; MSIE 6.0; 
Windows NT 5.1; SV1; .NET CLR 1.1.4322) Netscape/8.0.4" or 
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) 
Gecko/20051012 Netscape/8.0.4".



2) safari appears to occasionally switch from a full User-Agent string 
such as "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) 
AppleWebKit/312.8 (KHTML, like Gecko) Safari/312.5" to "CFNetwork/1.1".



3) a browser identifying itself as "Mozilla/4.0 (compatible; MSIE 6.0; 
Windows NT 5.1; SV1; .NET CLR 1.1.4322; MSN 9.0;MSN 9.1; MSNbVZ02; 
MSNmen-us; MSNcOTH; MPLUS)" sometimes has an extra space before "MSN 
9.0".



4) a browser identifying itself as "Mozilla/4.0 (compatible; MSIE 6.0; 
Windows 98; MSN 6.1; MSNbMSFT; MSNmen-us; MSNc11; v5m)" occasionally 
substitutes "MSNczz" for "MSNc11".



i suspect we'll wind up turning off AUTH_REASON_BROWSER entirely -- 
trying to keep up with browser quirks of this sort seems like more 
trouble than it's worth.

Saved Queries