Password not asked after password change

I can agree with this. In internet explorer, if you log on to a node and don't delete your temporary internet files, every time you go that node again, even if the password is changed you will have access. This seems like a security hole to me.

The problem is that the password acceptance was saved in the $_SESSION as TRUE. That's it.

I'm thinking to change that with a date instead. That way, when you change the password, I can save that date and if a user comes on that node and the date of the $_SESSION is too old, it breaks (i.e. you have to re-enter the password.)

Thank you.
Alexis

The hash is 40 characters (sha1) A date is 4 bytes (well, should be 8 to support time after 2068).

But there are other advantages to having a date: we can time out the password in say 2h even if the sessions time out is setup at 14 days. (There is a request in that regard!) Plus, I'd like us to be able to cancel all sessions at once. This again will work great with a time out.

As a side note: I know that the sessions are in the database in a default Drupal system. However, we cannot expect all installations to have such. There are optimizations that move sessions to memory, for example. Those would no work with SQL orders. Hence, the time and date.

Thank you for the reply.
Alexis

Hi teecee,

Good question. The module extension in regard to sessions will move the sessions to memory. That means you have access to them only via the regular session functions and not with SQL.

The following is what Core does when booting. As you can see it replaces the session commands with sess_open/close/read... Those functions are defined in ./includes/session.inc (which is why they include that file at that point.)

    case DRUPAL_BOOTSTRAP_SESSION:
      require_once variable_get('session_inc', './includes/session.inc');
      session_set_save_handler('sess_open', 'sess_close', 'sess_read', 'sess_write', 'sess_destroy_sid', 'sess_gc');
      session_start();
      break;

By default, PHP will use files to create sessions. You have one folder where you'd get thousands of files. One file represents one session. With 100 or less, it's still fast, with thousands it could get slow (although frankly with ext3 or ext4 on your hard drive, you'd still be fine.)

So... now if you look at the sess_open/close/read... functions, you'll see that the read is a SELECT * FROM {session} ... and the sess_write is an UPDATE (or INSERT INTO). This means you can search the sessions for entries such as '_protected_node' and modify them. However, if you change the session processing on your website, that would break badly. 8-}

Hope that helps clarifying. It's important for everyone to be aware of those things. I actually think that using the database for sessions slows down our server dramatically and I'll have to change that just so we can save a lot on I/O.

Thank you.
Alexis

Okay, the newst 6.x-1.x will have a fix for this one. I use the date as mentioned in previous posts.

Thank you.
Alexis Wilke

See:
http://drupalcode.org/project/protected_node.git/commit/3df5326