Finally fix up session restore functionality. Move session handling from login.php into init.php and fix the mess in redirect.php. There are some important notes that need to be reviewed in redirect.php, which I am including here to get your attention: FIXME! IMPORTANT! SOMEONE PLEASE EXPLAIN THE SECURITY CONCERN HERE; THIS session_destroy() BORKS ANY SESSION INFORMATION ADDED ON THE LOGIN PAGE (SPECIFICALLY THE SESSION RESTORE DATA, BUT ALSO ANYTHING ADDED BY PLUGINS, ETC)... I HAVE DISABLED THIS (AND NOTE THAT THE LOGIN PAGE ALREADY EXECUTES A session_destroy() (see includes/init.php)), SO PLEASE, WHOEVER ADDED THIS, PLEASE ANALYSE THIS SITUATION AND COMMENT ON IF IT IS OK LIKE THISsvn diff include/init.php src/login.php src/redirect.php src/compose.php WHAT HIJACKING ISSUES ARE WE SUPPOSED TO BE PREVENTING HERE?
git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@12617
7612ce4b-ef26-0410-bec9-
ea0150e637f0
projects / squirrelmail.git / commit