Error when using back button after sending an email

[rcubetrac]

Reported by mgrum on 30 Jul 2014 14:40 UTC as Trac ticket #1490009

When you click on the browser's back button after sending an email, you get back to a URL that contains the _id of the message you have just sent. But since there is no $_SESSION['compose_data_'] entry for this message any more, you get an error page in the browser and a log entry that says PHP Error: Invalid compose ID.

Apparently, there are some users who do this (probably because they want to get back to the compose form to write another mail).

The obvious solution to allow this without an error would be to create a new compose ID in these cases. But there is this a comment in program/steps/compose.inc that claims it is better to abort and show the error page, because otherwise we might create infinite redirect loops. The comment references bug #1487028.

However, after reading both the code and the bug report I don't understand how these infinite redirects could happen. Even loosing the session data between the ID generation and the page reload does not cause an infinite loop, it just causes a second iteration. I think the only real possibility that could actually lead to infinite redirects would be a situation where roundcube cannot write session variables at all (but that would break a lot of things and would probably make normal usage impossible anyway).

So am I missing something? Or is it safe to disable the error message? Maybe bug #1487028 is just not relevant any more?

Migrated-From: http://trac.roundcube.net/ticket/1490009

[rcubetrac]

Comment by jeromeb on 16 May 2015 01:57 UTC

We are facing the same issue and I was wondering if instead of raising an error we could not just redirect to the inbox as a fail-over, since the infinite loop this piece of code is trying to solve is due to a corrupt compose array.
It is probably not what users would expect when clicking the back button, but at least wouldn't confuse them with a 500 error.

    // Infinite redirect prevention in case of broken session (#1487028)
    if ($COMPOSE_ID) {
        $RCMAIL->output->redirect(array(
            '_task' => 'mail',
            '_action' => 'show',
            '_mbox' => 'INBOX'
        ));
        return;
    }

[rcubetrac]

Owner changed by @alecpl on 31 Jul 2015 10:25 UTC

=> alec

[rcubetrac]

Milestone changed by @alecpl on 31 Jul 2015 10:25 UTC

later => 1.1.3

[rcubetrac]

Comment by @alecpl on 31 Jul 2015 10:57 UTC

Here are some possible solutions:

1. Check HTTP_REFERER and if _action != compose do not display the error but instead allow a new mail composition. I know Referer header is not super reliable, but for this use case it should be good enough.
2. Store sent mail compose-id in session and do not display the error if the id already exist.

In any case we could also do not log the error as it is not really helpful for the admin anyway.

There's another issue with both of these solutions. They would not handle nicely the case when user hits the compose page with ID specified after the session expired or he set such URL in favorites, etc. To fix these we should probably display more human-friendly error with a link to "clean" compose page.

[rcubetrac]

Comment by @alecpl on 31 Jul 2015 16:49 UTC

Fixed in 4b72a1f.

[rcubetrac]

Status changed by @alecpl on 31 Jul 2015 16:49 UTC

new => closed