Hi Thanks for the reply. I see your point.
Would using "auth.settings.logout_next" be a good place to do this? -sveinh On Feb 1, 10:42 pm, Thadeus Burgess <[email protected]> wrote: > Not necessarily, what if you set session tokens to visitors as well ? > You would not want to clear these out. > > Since a session is not tied to auth, a session is tied to the client > visiting the website, you should clear these out manually in your > logout function. > > -Thadeus > > On Mon, Feb 1, 2010 at 3:38 PM, sveinh <[email protected]> wrote: > > Hi > > > Thanks for the update. > > > Regarding 2), I'm not talking about auth-tokens in Session, but > > whatever other tokens the programmer has entered into session. Should > > these not also be cleared? > > > sveinh > > > On Feb 1, 8:49 pm, mdipierro <[email protected]> wrote: > >> Entering panic mode! > > >> You are correct about 1). There is a major bug in 1.74.8. One line in > >> tools.py appears to be missing. I must have accidentally while > >> applying the "remember me" patch. > > >> I have fixed this in trunk. I have posted 1.74.9. > > >> !!! EVERYONE PLEASE UPGRADE. THIS IS A MAJOR SECURITY ISSUE !!! > > >> 2) is not a problem. That is normal web2py behavior. It recycles the > >> sessions tokens. All auth variables are cleared at logout. > > >> Massimo > > >> On Feb 1, 1:01 pm, sveinh <[email protected]> wrote: > > >> > Hi > > >> > I'd like to report two things I have encountered regarding > >> > authentication: > > >> > 1) Login with no (or wrong) password > >> > I have made no changes to the source, open the Welcome application, > >> > register a new user, then login. When logging in, I use the same e- > >> > mail as when registering, and password blank. > > >> > It logs me in successfully. > > >> > Is this a bug? > > >> > 2) Session present after logout > >> > I set a session variable while logged in. Log the user out, then in > >> > again, the session variable is still present. I would assume that a > >> > session should be cleared when logging out? Or will the user be > >> > connected to the same session when logging in again before session > >> > timeout? > > >> > In advance, thanks! > > >> > -sveinh > > >> > My runtime env: > > >> > Running with Firefox on Ubuntu 9.10 Desktop: > > >> > python2.5 web2py.py --nogui > >> > web2py Enterprise Web Framework > >> > Created by Massimo Di Pierro, Copyright 2007-2010 > >> > Version 1.74.8 (2010-01-24 16:46:23) > >> > Database drivers available: SQLite3 > >> > Starting cron... > >> > choose a password:something > >> > please visit: > >> > http://127.0.0.1:8000 > >> > use "kill -SIGTERM 5364" to shutdown the web2py server > > > -- > > You received this message because you are subscribed to the Google Groups > > "web2py-users" group. > > To post to this group, send email to [email protected]. > > To unsubscribe from this group, send email to > > [email protected]. > > For more options, visit this group > > athttp://groups.google.com/group/web2py?hl=en. -- You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/web2py?hl=en.
