Session management

abatie · September 10, 2018, 02:46:15 PM

I'm trying to build a script to handle indirect auto-login to Roundcube (i.e. a non-roundcube login page to handle some business logic); tshark shows sending the right request and cookies, but roundcube reports "session invalid or expired". The only thing I can think of is that the session id is tied to an ip address? Are there any other restrictions or associations with a session id that could be causing this? Thanks...

SKaero · September 10, 2018, 11:26:09 PM

Roundcube has some protections regarding the login, look at the autologon plugin that comes with Roundcube that includes the changes to bypass those checks.

abatie · September 11, 2018, 01:56:38 PM

If the solution requires, modifying Roundcube, we're out of luck. While what we're trying to do is legitimate, it's indistinguishable from a man-in-the-middle attack. It sounds like we'll have to do a full proxy then...

SKaero · September 11, 2018, 02:11:24 PM

I wouldn't call a plugin modify Roundcube but if you don't have any access to make any changes you wont be able to remotely login.

Session management

abatie

SKaero

abatie

SKaero