[imp] Fix for broken SQL session handlers since IMP 3.2.2

Chuck Hagenbuch chuck at horde.org
Wed Aug 11 20:52:12 PDT 2004


Quoting Michael Schout <mschout at gkg.net>:

> Apparently, this is the change that breaks SQL session handlers.  If I
> remove the lines that were added in IMP 3.2.2, (the getCleanSession()
> call), then everything works perfectly.
>
> I dont know enough about the logic as to why this change was made in IMP
> 3.2.2, and I dont know why it breaks SQL sessions.  But if I remove the
> getCleanSession() call, it fixes the problem.

No, it simply makes you vulnerable to session fixation attacks; the problem is
still there, routed around. Look later on in getCleanSession(); it calls
setupSessionHandler() to reinitialize custom session handlers. 
Obviously that's
not working for you; you need to find out why.

-chuck

--
"Regard my poor demoralized mule!" - Juan Valdez


More information about the imp mailing list