Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 2.1.8

Bug #934 Session ID should not be chosen based on user/password
Submitted: 2004-03-02 23:04 UTC
From: gostev at rogers dot com Assigned: gurugeek
Status: Closed Package: Auth_HTTP
PHP Version: 4.3.1 OS: Mandrake 9.1
Roadmaps: (Not assigned)    
Subscription  


 [2004-03-02 23:04 UTC] gostev at rogers dot com
Description: ------------ Session ID should be unique for the session, so when many (2) users log in with the same credentials, they share the same session, that is a mess. Even with only one user the session variables are not expired when the session does, so the user got the same outdated session context when he logs in (if garbage collector did not run between sessions). As a worst case there should be a way to switch this behaviuor off instead of patching the code. Thank you, Ivan Gostev Reproduce code: --------------- In function assignData() line 88 should be commented out or removed: // session_id(md5("Auth_HTTP" . $this->username . $this->password));

Comments

 [2004-03-31 20:18 UTC] User who submitted this comment has not confirmed identity
If you submitted this note, check your email.If you do not have a message, click here to re-send
MANUAL CONFIRMATION IS NOT POSSIBLE.  Write a message to pear-dev@lists.php.net
to request the confirmation link.  All bugs/comments/patches associated with this

email address will be deleted within 48 hours if the account request is not confirmed!
 [2004-04-16 17:15 UTC] User who submitted this comment has not confirmed identity
If you submitted this note, check your email.If you do not have a message, click here to re-send
MANUAL CONFIRMATION IS NOT POSSIBLE.  Write a message to pear-dev@lists.php.net
to request the confirmation link.  All bugs/comments/patches associated with this

email address will be deleted within 48 hours if the account request is not confirmed!