On Tue, Nov 07, 2000 at 12:41:52PM +0100, Gerald Richter wrote:
> I have commited a new version into the CVS which should solve the
> DeleteSession problem and also the GetSession problem you reported a few
> days ago.
works great
currently it sends the cookie every time, but (as gerald and i
discussed privately) i have a feeling thats a modperl 1.24 issue.
if you write to %udat after calling DeleteSession, then it creates the
session in the database (or on disk, etc), but still deletes the
cookie. if you do this, you probably deserve to leak sessions tho ;)
(reading after deleting is fine)
> I don't know from where the session tainting problem comes. You may try to
> untaint the session_id in line 270 of Embperl/Session.pm by modifing it
> from:
[snip code]
> this should untaint the newly generated session id.
my point was that it tries to create whatever session the browser asks
for. imo, if the browser has a cookie for which no session exists, the
browser should get given a new randomly generated session, just as if
it had no existing cookie.
if it wasn't for taint, it'd be a real security issue. consider what
would happen using FileStore and a session id of "../../bin/httpd" (or
some path that exists).
to reproduce:
go to a page that uses %udat.
quit netscape.
edit ~/.netscape/cookies and change the session id to something that
it shouldn't be.
now go to a page that uses %udat again.
--
- Gus
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
