Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 2.1.8

Bug #934 Session ID should not be chosen based on user/password
Submitted: 2004-03-02 23:04 UTC
From: gostev at rogers dot com Assigned: gurugeek
Status: Closed Package: Auth_HTTP
PHP Version: 4.3.1 OS: Mandrake 9.1
Roadmaps: (Not assigned)    
Subscription  


 [2004-03-02 23:04 UTC] gostev at rogers dot com
Description: ------------ Session ID should be unique for the session, so when many (2) users log in with the same credentials, they share the same session, that is a mess. Even with only one user the session variables are not expired when the session does, so the user got the same outdated session context when he logs in (if garbage collector did not run between sessions). As a worst case there should be a way to switch this behaviuor off instead of patching the code. Thank you, Ivan Gostev Reproduce code: --------------- In function assignData() line 88 should be commented out or removed: // session_id(md5("Auth_HTTP" . $this->username . $this->password));

Comments

 [2004-03-31 20:18 UTC] gurugeek
Working on making the session sharing optional. Should appear on the next release.
 [2004-04-16 17:15 UTC] gurugeek
This bug has been fixed in CVS. In case this was a documentation problem, the fix will show up at the end of next Sunday (CET) on pear.php.net. In case this was a pear.php.net website problem, the change will show up on the website in short time. Thank you for the report, and for helping us make PEAR better. Fixed on RC1 using session sharing (default TRUE) a further fix will be posted on RC2 to be released in the next few days.