scenario:
1. login with a registered user (eg. moderator, in back-end), logout
[session cookie is generated]
then (w/o closing browser)
2. login thru services with another registered user (eg. visitor, to use drupal mail or create content) in a full flash site (site front-end, so no means to log out the user, or tell when the user closes the site in order to log the user out)
[session cookie stays same but receives other value]

somehow, at this point, when using restricted services (eg. drupal mail allowed only by the visitor, not anonymous user), drupal silently fails the service call ("user not allowed…")

it seems the session cookie gets corrupted, and strangely it effects then everybody who logs in with the visitor account (restricted service calls fail, as if the calls are not done by the visitor account)

logging out the visitor, clearing all domain cookies and restarting the browser resolve the issue…

in normal site usage, only step 2 is done/used (where it runs all fine), but when moderators login, and then visit front-end (thus automatically logging as visitor) in same browser w/o closing browser (which expires the cookie), then the session seems to be corrupted…

(this issue seems to be relate to http://drupal.org/node/60584)

should there maybe be a call to session_destroy() or session_regenerate() (before user_authenticate()) in the user_service_login() method?

Comments

marcingy’s picture

Assigned: Unassigned » snelson

Using flash

snelson’s picture

Status: Active » Postponed (maintainer needs more info)

I wasn't able to duplicate this. I followed the above steps but all seemed to work fine on my end. Going to need more info to proceed, unless you can put a patch up on your own.

snelson’s picture

Status: Postponed (maintainer needs more info) » Fixed

I commited a modification to user.login that calls sess_regenerate(). This should hopefully fix your issue.

Committed to D5 dev and D6 dev

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.