Not necessarily, what if you set session tokens to visitors as well ? You would not want to clear these out.
Since a session is not tied to auth, a session is tied to the client visiting the website, you should clear these out manually in your logout function. -Thadeus On Mon, Feb 1, 2010 at 3:38 PM, sveinh <[email protected]> wrote: > Hi > > Thanks for the update. > > Regarding 2), I'm not talking about auth-tokens in Session, but > whatever other tokens the programmer has entered into session. Should > these not also be cleared? > > sveinh > > On Feb 1, 8:49 pm, mdipierro <[email protected]> wrote: >> Entering panic mode! >> >> You are correct about 1). There is a major bug in 1.74.8. One line in >> tools.py appears to be missing. I must have accidentally while >> applying the "remember me" patch. >> >> I have fixed this in trunk. I have posted 1.74.9. >> >> !!! EVERYONE PLEASE UPGRADE. THIS IS A MAJOR SECURITY ISSUE !!! >> >> 2) is not a problem. That is normal web2py behavior. It recycles the >> sessions tokens. All auth variables are cleared at logout. >> >> Massimo >> >> On Feb 1, 1:01 pm, sveinh <[email protected]> wrote: >> >> > Hi >> >> > I'd like to report two things I have encountered regarding >> > authentication: >> >> > 1) Login with no (or wrong) password >> > I have made no changes to the source, open the Welcome application, >> > register a new user, then login. When logging in, I use the same e- >> > mail as when registering, and password blank. >> >> > It logs me in successfully. >> >> > Is this a bug? >> >> > 2) Session present after logout >> > I set a session variable while logged in. Log the user out, then in >> > again, the session variable is still present. I would assume that a >> > session should be cleared when logging out? Or will the user be >> > connected to the same session when logging in again before session >> > timeout? >> >> > In advance, thanks! >> >> > -sveinh >> >> > My runtime env: >> >> > Running with Firefox on Ubuntu 9.10 Desktop: >> >> > python2.5 web2py.py --nogui >> > web2py Enterprise Web Framework >> > Created by Massimo Di Pierro, Copyright 2007-2010 >> > Version 1.74.8 (2010-01-24 16:46:23) >> > Database drivers available: SQLite3 >> > Starting cron... >> > choose a password:something >> > please visit: >> > http://127.0.0.1:8000 >> > use "kill -SIGTERM 5364" to shutdown the web2py server > > -- > You received this message because you are subscribed to the Google Groups > "web2py-users" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/web2py?hl=en. > > -- You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/web2py?hl=en.
