Download & Extend
Token authentication » Issues

Session left behind - not closed

Posted by irakli on June 19, 2009 at 11:26pm
Project:Token authentication
Version:6.x-1.1
Component:Code
Category:bug report
Priority:critical
Assigned:irakli
Status:closed (fixed)

Issue Summary

Something wrong with the session expiration code. It does not expire (Tried Chrome and FFX on OS-X) and can be serious security risk.

However, if I change manual session kill with session_destroy() function, it works like a charm (please see attached patch).

Can you please review?

Thanks.

Login or register to post comments

Comments

#1

Posted by irakli on June 19, 2009 at 11:27pm
AttachmentSize
tokenauth.module.patch 351 bytes

#2

Posted by irakli on June 23, 2009 at 3:21pm
Status:active» fixed

Fixed in CVS. Waiting for the security team review to make a security patch release.

#3

Posted by System Message on July 7, 2009 at 3:30pm
Status:fixed» closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

#4

Posted by irakli on July 16, 2009 at 5:27am
Status:closed (fixed)» fixed

Unfortunately, have not heard back from the security team, so will be releasing as bug-fix, not security update. Better than nothing, I guess.

#5

Posted by System Message on July 30, 2009 at 5:30am
Status:fixed» closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

nobody click here