Nope. It's a bug fix.
Details on how to reproduce the bug are at
http://www.manniwood.net/apache_stuff/mod_usertrack_patch.html but to
summarise:
Let's say your tracking cookie is named "ID".
Let's say the browser returns the cooke header
Cookie: foo=barIDhere; ID=123456789
The current, buggy mod_usertrack's use of strstr() on the entire cookie
header to find the cookie name does the following with the above header:
1. Find "ID" (the name of the usertrack cookie) in the body of the value
of the cookie "foo"
2. skip over the letter "h" in "barIDhere", assuming it is the equal
sign after the cookie name
Cookie: foo=barIDhere; ID=123456789
^
3. adopt the value "ere" as the tracking cookie name.
My patch fixes the problem, and Cliff Woolley has already been kind
enough to shepard the patch through the voting process, etc, to get it
into the 2.1.x and 2.0.x series. 1.3.x needs the patch too.
-Manni
-----Original Message-----
From: Jim Jagielski [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 16, 2003 10:35 AM
To: [EMAIL PROTECTED]
Subject: Re: [PATCH] mod_usertrack cookie matching
This seems almost more an enhancement rather than
a bugfix... Or am I reading it wrong?
On Wednesday, October 15, 2003, at 04:52 PM, Cliff Woolley wrote:
>
>
> Attached is a patch by Manni Wood for the 1.3.x series that fixes a
> problem in mod_usertrack where the usertracking cookie will be
> incorrectly identified. It simply switches from a strstr to a regex
> match.
>
> The equivalent patch has already been committed to 2.1 and 2.0. Votes
> for
> 1.3 inclusion?
>
> +1 from me.
>
> --Cliff<mod_usertrack_1.3.28.patch>
