Bug #75723 for Apache2-AuthCookieDBI: Expired sesssions do not return so users remain logged in

Mon Mar 12 18:36:00 2012 ccolumbu [...] gmail.com - Ticket created

Subject:

Expired sesssions do not return so users remain logged in

There are several session checks in: sub authen_ses_key { Like this one: if ( ( !$tie_result ) || $EVAL_ERROR ) { However when the check fails, it prints an error to the log but does not have a return; after the message so the code continues and the user is allowed access to the secured directory even if the session has been removed or expired

Mon Mar 12 18:59:00 2012 ccolumbu [...] gmail.com - Correspondence added

From:

ccolumbu [...] gmail.com

On Mon Mar 12 18:36:00 2012, ccolumbu wrote: Show quoted text

> There are several session checks in: > sub authen_ses_key { > > Like this one: > if ( ( !$tie_result ) || $EVAL_ERROR ) { > > However when the check fails, it prints an error to the log but does not > have a return; after the message so the code continues and the user is > allowed access to the secured directory even if the session has been > removed or expired

Correction, there are not "several" in fact this seems to be the one check that is broken. Adding a return to my module fixed it.

Sat May 12 12:44:08 2012 matisse [...] spamcop.net - Correspondence added

Version 2.14 has the following code in auth_ses_key: if ( ( !$tie_result ) || $EVAL_ERROR ) { $r->log_error( "$class: failed to tie session hash to '$c{'DBI_sessionmodule'}' using session id $session_id for user $user for auth_realm $auth_name, error was '$EVAL_ERROR'", $r->uri ); return; }

Sat May 12 12:44:08 2012 The RT System itself - Status changed from 'new' to 'open'

Sat May 12 12:44:08 2012 matisse [...] spamcop.net - Status changed from 'open' to 'resolved'