Dear all, I have just uploaded a new developer release of BasicSession to CPAN. A review performed by the original author Mike Nachbaur and myself, prompted by the problems Tom Kirkpatrick has reported with the module revealed that BasicSession was in fact not invalidating sessions properly.
This may have security implications as information may be carried over, including authentication tokens, to a session even though the user believed that the previous session was exited. We believe that we have fixed this particular problem, as well as a number of smaller problems with this release. Given that there are security implications, I felt that it was appropriate to release this now, as well as this short advisory. Note, however, that we have not tested this extensively, and while it seems to be OK with the File and DB_File backend, and usually OK with the PostgreSQL backend, we have noted problems with the latter, it has been seen to sit there and spin indefinitely. So, until more testing has been performed, one has the choice between a module that has security implications, and one that has seen little testing and has known issues. So, that's why this has been uploaded as a developer release and not an ordinary release. Caveat programmor. Your call. No warranties. Et cetera. It appears to clear out some quite confusing issues that has been present in earlier releases, allthough we're not sure it corrects all known problems. Success or failure reports are welcome. So to the formalities: I report that the uploaded file AxKit-XSP-BasicSession-0.23_2.tar.gz has entered CPAN as file: $CPAN/authors/id/K/KJ/KJETILK/AxKit-XSP-BasicSession-0.23_2.tar.gz size: 14668 bytes md5: 4e6cc5f2ab406e198bf0ddc3e33b8688 From the changelog: 0.23_2 2005-04-28 02:45 - Invalidation of session didn't work properly, which has obvious SECURITY issues. We found this has a result of a review sparked by inquires by Tom Kirkpatrick. - Tom Kirkpatrick pointed out that get-last-accessed-time returned a meaningless time. Mike Nachbaur provided a patch for that. - When using a Pg based backend, different defaults should used. - Actually implement the comment in enumerate. - Some documentation cleanups. - Added quite a lot of debugging statements. Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/ OpenPGP KeyID: 6A6A0BBC
pgpou3pnJ599g.pgp
Description: PGP signature