Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 2.1.8
Bug #934 Session ID should not be chosen based on user/password
Submitted: 2004-03-02 23:04 UTC
From: gostev at rogers dot com Assigned: gurugeek
Status: Closed Package: Auth_HTTP
PHP Version: 4.3.1 OS: Mandrake 9.1
Roadmaps: (Not assigned)    
Subscription  
Comments Add Comment Add patch


Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know! Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem : 41 - 26 = ?

 
 [2004-03-02 23:04 UTC] gostev at rogers dot com
Description: ------------ Session ID should be unique for the session, so when many (2) users log in with the same credentials, they share the same session, that is a mess. Even with only one user the session variables are not expired when the session does, so the user got the same outdated session context when he logs in (if garbage collector did not run between sessions). As a worst case there should be a way to switch this behaviuor off instead of patching the code. Thank you, Ivan Gostev Reproduce code: --------------- In function assignData() line 88 should be commented out or removed: // session_id(md5("Auth_HTTP" . $this->username . $this->password));

Comments

 [2004-03-31 20:18 UTC] gurugeek
Working on making the session sharing optional. Should appear on the next release.
 [2004-04-16 17:15 UTC] gurugeek
This bug has been fixed in CVS. In case this was a documentation problem, the fix will show up at the end of next Sunday (CET) on pear.php.net. In case this was a pear.php.net website problem, the change will show up on the website in short time. Thank you for the report, and for helping us make PEAR better. Fixed on RC1 using session sharing (default TRUE) a further fix will be posted on RC2 to be released in the next few days.