[imp] user getting other people's sessions
Fabien COMBERNOUS
fcombernous@eprocess.fr
Tue, 20 Aug 2002 11:30:29 +0200
Humm i'm running the lastest horde et imp versions.
On Tue, Aug 20, 2002 at 11:03:12AM +0200, Bjørn Ove Grøtan wrote :
> Fabien COMBERNOUS:
> >
> > Lo,
> >
> > I have reporting about same thing. I thougth it was a joke. But with
> > this mail, perhaps it was not. In my side, users get only a valid
> > login. Password field was not valid.
>
> I've got reports saying the same thing. The problem has occured for
> aprox. 5-10 people in a period within 6-8 months. This weekend we changed
> to IMP 3.1 and added better session-handling for PHP (entropy in php.ini).
>
>
> > > IMP 3.0
> > > -------
> > >
> > > I have users saying to me that they get other people's sessions while
> > > using IMP sometimes.
> > >
> > > Anyone else here have this problem as well, or has this issue been
> > > dealt with and if so, what can I do to patch it up quickly without
> > > having to upgrade?
>
> A quick solution as far as we could see was to take use of the entropy
> variables in php.ini. This would make a more unique session_id.
>
> Best regards
>
> Bjørn Ove Grøtan
>
--
Fabien COMBERNOUS - IT Engineer
eProcess - Parc Club du Millénaire Batiment n° 6
1025 rue Henri Becquerel - 34000 Montpellier FRANCE
http://www.eprocess.fr - +33 (0)4 67 13 84 50