SquirrelMail  
Donations
News
About
Support
Security
Screen shots
Download
Plugins
Documentation
Sponsors
Bounties

search site:
more search




Junk Email Filter






Security Notice
Phishing campain
Version 1.4.15
Security Upgrade

I keep getting logged out while I'm writing a long email or leave my computer for a bit. What gives?

This is caused by one of two problems:

  • The Timeout User plugin is installed
  • PHP session is timing out

The Timeout User plugin

SquirrelMail has a plugin called Timeout User, that your mail administrator has probably installed. They can configure a set amount of idle time that the system waits before auto logging out users. The default setting is 15 minutes, but your administrator may have a different setting.

This plugin is actually a good thing, as it protects you from someone reading your email or impersonating you from your computer, if you leave and forget to log out. It also reduces the amount of load on the mail server, so things are faster for everyone. As of Fall 2004, a new version of Timeout User is under development that will auto-save to Draft before logging you out; please watch for an update in the next few months.

To solve this problem, you may want to do one of the following:

  • start using the "Save Draft" feature when composing long messages or leaving your computer for any length of time,
  • increase (or disable) the idle time limit for Timeout User by going to Options/Display Preferences/Automatic Logout Timer,
  • if the above option is not present, ask your mail administrator to increase the default idle time limit for Timeout User, or
  • ask your system administrator to install the Quick Save plugin, which provides auto-save functionality as you write your email.

PHP sessions

The garbage handling routine in the PHP session handler code will delete session data periodically which (depending upon how it is configured) causes an abrupt logout of SquirrelMail even while the application is being actively used.

The PHP variable session.gc_maxlifetime defaults to 24 minutes; the PHP variable session.gc_probability defaults to 1%; and the SquirrelMail configuration variable "Auto Refresh Folder List" defaults to "Never".

This combination causes session data to be dumped and users to be timed out errantly some time after the 24th minute of use.

Setting the SquirrelMail "Auto Refresh Folder List" configuration variable to some time smaller than 24 minutes will resolve this issue. To set the default to less than 24 minutes (a users preferences will override this) for all users to say 10 minutes is done by adding the below line to the default_pref file.\n

left_refresh=600

However, future versions of PHP may break this fix (possibility of session handler time base changed from file "atime" to file "mtime"). The likely-hood of this happening is unknown at this time (2002-01-18).

Raising the session.gc_maxlifetime PHP variable value to something more appropriate to SquirrelMail (ie. 8 to 12 hours) in the http.conf file or an .htaccess file will also resolve this issue. However, this necessitates some additional security measures:

  1. Don't change this value in the php.ini file. That is a global change which will affect ALL session handling -- not just SquirrelMail's. This can make the server more susceptible to DoS attacks. Change the variable's value in a non-global, SquirrelMail specific portion of the http.conf file or an .htaccess file.
  2. Don't jack the value up too high. The higher the value, the more session data will collect. This can fill your file system and DoS your server at the most, and degrade server performance at the least.
  3. Move the session.save_path to someplace other than /tmp that is readable and writable only by the web server application. This will increase the difficulty of a user hijacking a SquirrelMail session. Pick a partition that can't DoS the whole server if it is filled.

These changes are best accomplished in the httpd.conf file. Use the Directory tag. The changes would look something like the following:\n

<Directory /www/squirrelmail/>
  ...
  php_value session.gc_maxlifetime 28800
  php_value session.save_path /www/sm-sessiondata
  ...
</Directory>

Finally, use a cron job (or the equivalent on your system) to periodically remove abandoned session data from the save path. (Posting a shell script to delete files is scary - so it won't be done. A small error could do real damage. The basic idea is to use the "find" command paying extra attention to the "atime" attribute, pick your shell of choice as the interpreter and "rm" the hits the "find" command returns.)

Gorgon, 2004-04-26

Red Hat 9, PHP v4.2.2, SquirrelMail v1.4.2

A word of caution. Make sure that the file system that session files are stored in has "atime" turned on (the default in ext3). I turned it off for performance reasons and session management broke. Apparently future version of PHP may use "mtime" rather than "atime" to determine if a session file has been accessed, but v4.2.2 still uses "atime".

shell script to remove sm-sessiondata (put it in your cronjob daily):\n

find /var/www/sm-sessiondata/ -name * -prune -mtime +1 -exec rm -rf {} \;

Julio Covolato

As noted above, posting a shell script might be scary, so I felt to at least correct the above sniplet at least if run from bash:\n

find /var/www/sm-sessiondata/ -name * -prune -mmin 28800 -exec rm -rf \{\} \;

By using find's -mmin option you may (and have to, btw) specify the time in minutes, not just days, as it is the case with the -mtime option, and the {} need quoting in the shell.

RK, 2007-01-23

Sample garbage collection script found in Debian's php.ini: (Debian automatically cleans according to gc_maxlifetime unless you use the subdirectory option for storing session files):\n

cd /path/to/sessions; find -cmin +24 | xargs rm

66.100.227.144, 2008-07-10

© 1999-2016 by The SquirrelMail Project Team