Home » Download » Modules » Token authentication » Issues

Session left behind - not closed

irakli - June 19, 2009 - 23:26
Project:Token authentication
Version:6.x-1.1
Component:Code
Category:bug report
Priority:critical
Assigned:irakli
Status:closed
Description

Something wrong with the session expiration code. It does not expire (Tried Chrome and FFX on OS-X) and can be serious security risk.

However, if I change manual session kill with session_destroy() function, it works like a charm (please see attached patch).

Can you please review?

Thanks.

» Login or register to post comments

#1

irakli - June 19, 2009 - 23:27
AttachmentSize
tokenauth.module.patch 351 bytes
Login or register to post comments

#2

irakli - June 23, 2009 - 15:21
Status:active» fixed

Fixed in CVS. Waiting for the security team review to make a security patch release.

Login or register to post comments

#3

System Message - July 7, 2009 - 15:30
Status:fixed» closed

Automatically closed -- issue fixed for 2 weeks with no activity.

Login or register to post comments

#4

irakli - July 16, 2009 - 05:27
Status:closed» fixed

Unfortunately, have not heard back from the security team, so will be releasing as bug-fix, not security update. Better than nothing, I guess.

Login or register to post comments

#5

System Message - July 30, 2009 - 05:30
Status:fixed» closed

Automatically closed -- issue fixed for 2 weeks with no activity.

Login or register to post comments
 
 

Drupal is a registered trademark of Dries Buytaert.