[imp] user getting other people's sessions
Bjørn Ove Grøtan
bjorn.grotan@itea.ntnu.no
Tue, 20 Aug 2002 11:03:12 +0200
Fabien COMBERNOUS:
>
> Lo,
>
> I have reporting about same thing. I thougth it was a joke. But with
> this mail, perhaps it was not. In my side, users get only a valid
> login. Password field was not valid.
I've got reports saying the same thing. The problem has occured for
aprox. 5-10 people in a period within 6-8 months. This weekend we changed
to IMP 3.1 and added better session-handling for PHP (entropy in php.ini).
> > IMP 3.0
> > -------
> >
> > I have users saying to me that they get other people's sessions while
> > using IMP sometimes.
> >
> > Anyone else here have this problem as well, or has this issue been
> > dealt with and if so, what can I do to patch it up quickly without
> > having to upgrade?
A quick solution as far as we could see was to take use of the entropy
variables in php.ini. This would make a more unique session_id.
Best regards
Bjørn Ove Grøtan