Login Check plugin for SquirrelMail
===================================
Ver 1.0, 2010/01/27


Copyright (c) 2009-2010 Paul Lesniewski <paul@squirrelmail.org>



Description
===========

This plugin is intended to avoid cross-contamination of user
preferences (and associated security issues) that can happen
when users log in to SquirrelMail using a browser where another
user was already logged in (to the same server/domain).

This is a long-standing problem with SquirrelMail that is caused
by cookie-based user sessions - only one cookie per browser per
domain is possible.  In the future, when SquirrelMail offers
other session mechanisms, this plugin will not be necesesary.

This plugin is only needed if there is a possibility of users
forgetting to log out before another user attempts to log in
with the same browser to the same domain.



License
=======

This plugin is released under the GNU General Public
License (see COPYING for details).



Donations
=========

If you or your company make regular use of this software,
please consider supporting Open Source development by
donating to the authors or inquire about hiring them to
consult on other projects.  Donation links for the author(s)
are as follows:

Paul Lesniewski: http://squirrelmail.org/donate_paul_lesniewski.php



Requirements
============

  * SquirrelMail version 1.4.10 or up



Security Considerations
=======================

Because this plugin only helps work around a problem that it
cannot solve, using it can bring up some security concerns.
The fact that it will warn a user about an existing login
session that exists elsewhere, it could be handing a malicious
user the keys to someone else's account.  However, because that
user already has access to the computer and browser that was
used to log in to SquirrelMail, if the new user is malicious,
there are much bigger concers.

Still, some consideration is advisable when deciding to use
and configure this plugin.  For example, consider that configuring
the plugin to redirect to the previous user's account (setting
$login_check_method to 3 in the configuration file) is more
risky in this sense than just displaying a warning (setting
$login_check_method to 1 or 2).



Troubleshooting
===============

  * If changes to the configuration file don't seem to be
    having any effect, ensure that you are editing the correct
    configuration file.  If one is located in the main SquirrelMail
    config directory (named "config_login_check.php"), it will
    always be used.  Otherwise, "config.php" in the login_check
    plugin directory will be used.



Help Requests
=============

Before looking for help elsewhere, please try to help yourself:
  
  * Read the Troubleshooting section herein.
  
  * Look to see if others have already asked about the same issue.
    There are tips and links for the best places to do this in
    the SquirrelMail mailing list posting guidelines:
    http://squirrelmail.org/wiki/MailingListPostingGuidelines
    You should also try Google or some other search engine.
  
  * If you cannot find any information about your issue, please
    first mail your help request to the squirrelmail-plugins
    mailing list.  Information about it can be found here:
    http://lists.sourceforge.net/mailman/listinfo/squirrelmail-plugins
    You MUST read the mailing list posting guidelines (see above)
    and include as much information about your issue (and your
    system) as possible.  Including configtest output, any debug
    output, the plugin configuration settings you've made and
    anything else you can think of to make it easier to diagnose
    your problem will get you the most useful responses.  Inquiries
    that do not comply with the posting guidelines are liable to
    be ignored.
  
  * If you don't get any replies on the mailing list, you are
    welcome to send a help request to the authors' personal
    address(es), but please be patient with the mailing list.



TODO
====

   * Make work with 1.5.2.  Currently, a hook would be needed
     for that around line 321 of include/init.php, since that
     code block destroys the user session for the login page
     before any hooks are available for us to execute on



Change Log
==========
  
  v1.0  2010/01/27  Paul Lesniewski <paul@squirrelmail.org>
    * Initial release.



