I am experiencing a strange behavior with the services module. I call system.connect to get a sessid, and then I call user.login using the sessid from before. This gives me a good sessid to use for subsequent function calls. However after every function call while using that sessid, if I do a "SELECT * FROM {sessions}" a new row appears with a new sessid and 0 for uid. Since a new row is made after each function call, programs that make many calls quickly overpopulate the sessions table. I would assume that this behavior will cause a performance penalty.

Also, when calling user.logout, my old sessid remains in the database, and can be continued to use. This seems to me like a security issue if logging out doesn't actually log you out.

Thanks

CommentFileSizeAuthor
#7 Picture 10.png18.22 KBusonian

Comments

rsmith5’s picture

rsmith5 commented

Has anyone had a chance to look at this?

amitaibu’s picture

amitaibu
Primary language Hebrew
Location Israel
commented

I have a feeling this is a cookie issue.
While logged in as uid == 1 i execute from the browser I'm logged in:

$account = xmlrpc('http://example.com/services/xmlrpc', 'system.connect');

however the result shows uid == 0.

snelson’s picture

snelson commented
Assigned: Unassigned » marcingy
Status: Active » Postponed (maintainer needs more info)

This is definitely happening. Annotated services.module and saw that marc, you committed the updated session handling code. Can you work this out?

jtsnow’s picture

jtsnow commented
Version: 6.x-0.9 » 6.x-0.13
Priority: Normal » Critical

Not only is a new session row being added to the database every time a method is called, but I'm experiencing some other weird behavior:

For example, I have written a simple XML-RPC client in C++. If I call an xmlrpc method with ANY string as my session ID, the method call executes and returns the same as if I passed a valid session ID.

This seems very bad.

snelson’s picture

snelson commented
Assigned: marcingy » snelson
sitron2’s picture

sitron2 commented

experiencing the same as jtsnow, but from an amfphp/flex app.
after a system.connect i can call user.login with any string as sessid (valid or not).

usonian’s picture

usonian commented
Title: new session id created with each function call » methods can be called with arbitrary session ID strings and new session id created with each function call
StatusFileSize
new Picture 10.png18.22 KB

Also seeing this behavior with a Python xmlrpclib client; it appears that I can call any method using any arbitrary string as a session ID, eg:

login = drupal.user.login(hashMap.hexdigest(), domain, timestamp, nonce, '1234567890', user, password

(Where 'drupal' is an xmlrpclib ServerProxy object)

It looks like the initial user.login call establishes a session with the correct UID, but any methods called after that get new session records in the sessions table, with UID 0.

usonian’s picture

usonian commented
Version: 6.x-0.13 » 6.x-1.x-dev

(Updated version, as this is still happening in 6.x-1.x-dev.)

marcingy’s picture

marcingy commented
Status: Postponed (maintainer needs more info) » Active
marcingy’s picture

marcingy commented
Version: 6.x-1.x-dev » 6.x-2.x-dev
Status: Active » Fixed

The issue with session ids not be cleared should now be resolved when a new dev version is generated. In addition the issue with each request generating a new row in the table also seems to be resolved.

An arbitary session id can be passed in but the new session created is with a uid of 0 so assuming security is set up correctly in terms of permissions there is no issue. And I drupal allows for the same thing eg edit the cookie in firefox and a new row in the table will be created when a page is refreshed with the uid of 0.

marcingy’s picture

marcingy commented

http://drupal.org/node/401626

marcingy’s picture

marcingy commented
Status: Fixed » Closed (fixed)