Dear all,

I have just uploaded a new developer release of BasicSession to CPAN. A 
review performed by the original author Mike Nachbaur and myself, 
prompted by the problems Tom Kirkpatrick has reported with the module 
revealed that BasicSession was in fact not invalidating sessions 

This may have security implications as information may be carried over, 
including authentication tokens, to a session even though the user 
believed that the previous session was exited. 

We believe that we have fixed this particular problem, as well as a 
number of smaller problems with this release. Given that there are 
security implications, I felt that it was appropriate to release this 
now, as well as this short advisory.

Note, however, that we have not tested this extensively, and while it 
seems to be OK with the File and DB_File backend, and usually OK with 
the PostgreSQL backend, we have noted problems with the latter, it has 
been seen to sit there and spin indefinitely. So, until more testing 
has been performed, one has the choice between a module that has 
security implications, and one that has seen little testing and has 
known issues. So, that's why this has been uploaded as a developer 
release and not an ordinary release. Caveat programmor. Your call. No 
warranties. Et cetera.

It appears to clear out some quite confusing issues that has been 
present in earlier releases, allthough we're not sure it corrects all 
known problems. Success or failure reports are welcome.

So to the formalities: I report that the uploaded file


has entered CPAN as

 size: 14668 bytes
   md5: 4e6cc5f2ab406e198bf0ddc3e33b8688

From the changelog:
0.23_2   2005-04-28 02:45
        - Invalidation of session didn't work properly, which has
          obvious SECURITY issues. We found this has a result of a
          review sparked by inquires by Tom Kirkpatrick.
        - Tom Kirkpatrick pointed out that get-last-accessed-time
          returned a meaningless time. Mike Nachbaur provided a patch
          for that.
        - When using a Pg based backend, different defaults should
        - Actually implement the comment in enumerate.
        - Some documentation cleanups.
        - Added quite a lot of debugging statements. 


Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
Homepage:        OpenPGP KeyID: 6A6A0BBC

Attachment: pgpou3pnJ599g.pgp
Description: PGP signature

Reply via email to