The action redirect of the login servlet takes a one time token and redirects the user then to his session. Unfortunately we discover errors in the infrastructure around Open-Xchange that causes those one time tokens to be sent to the wrong clients. So wrong clients get redirected into some users session. The action redirect rewrites IP and User-Agent in the session, so this is possible.

To prevent this the action redirect will from now on by default not rewrite client IP and User-Agent. Then a wrongly sent one time token will be denied when accessing Open-Xchange. To enable the old behavior a switch is added to /opt/open-xchange/etc/groupware/login.properties configuration file. The property looks like this:

# Configures whether an insecure login is allowed. Meaning if local IP and/or user-agent strings are replaced in associated user session on
# login redirect or login redeem requests. To create a session from a server for some client you have to pass the clients IP address when
# creating the session.
# WARNING! Setting this parameter to true may result in users seeing a different users content if the infrastructure around OX does not work
# correctly.
com.openexchange.ajax.login.insecure=false

The property is purposely named insecure because it enables possibly insecure operations of the login servlet that may lead to security problems. Administrators switching that behavior should be warned!