[imp] Fix for broken SQL session handlers since IMP 3.2.2
Chuck Hagenbuch
chuck at horde.org
Thu Aug 12 13:18:50 PDT 2004
Quoting Michael Schout <mschout at gkg.net>:
> Ok, setupSessionHandler() is getting called, and it appears to be
> working properly.
Okay.
> My understanding of what getCleanSession() is doing, is that it is
> trying to throw out the old session id, and generate a new session id.
> In other words, after login, the old session data should get removed,
> and a NEW session id should get used (and the new session data should go
> there). Is this a proper assesment of whats that chunk of code is
> supposed to be doing?
Yes, it should force a new set of session data on login.
> Interesting enough, using "file" session handlers, the old session files
> do not get removed by session_destroy(), and IMP does not change the
> session ID for me on login. For example, when I submit the "login
> form", I am asked to accept the session cookie 3 times, and the session
> id is the same in all 3 cookies. I suspect the reason its still
> re-using the old session id is that the session cookie never gets
> changed? So using "file" sessions, it appears to me that the same
> session ID gets used even after a new login. The reason the login
> actually "works" using file-based sessions is that the old session file
> is still on disk even though we called session_destroy().
You may want to compare the Horde 2.0 and Horde 3.0-HEAD
implementations of this
and see if there are any differences that'd explain the behavior you're
seeing.
> In the SQL driver, session_destroy() does a "DELETE" query to blow away
> the old session record. So after getCleanSession(), we still have the
> same session_id, but the session data was DELETEd from teh database.
Shouldn't be a problem, since it'll just be created again.
> So in my setup, the only reason things work using "file" based sessions
> is because the session files do not get removed by session_destroy().
> However, the SQL driver *does* remove the session data so that is why it
> fails. If I make the SQL driver skip the DELETE query, then sql
> sessions work. Of course, in this case, its behaving just like the file
> based session driver though, because its leaving the original session
> data in the database. This would still leave the "session fixation"
> attack open, right? If so, then the file based session manager is still
> open to this kind of attack because the session id does not change (and
> thus, a new session is not generated) when you submit the imp login
> form.
If that's what's happening, then yes.
> Am I the only one seeing that the session id does not change when the
> login form is submitted? Or am I misunderstanding the entire situation?
> If my understanding is correct, then is the SQL driver doing the wrong
> thing by doing a DELETE query when session_destroy() is called?
No, that's definitely the right thing to do.
-chuck
--
"Regard my poor demoralized mule!" - Juan Valdez
More information about the imp
mailing list