View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0011738 | mantisbt | authentication | public | 2010-04-01 04:11 | 2023-02-15 09:53 |
Reporter | bobonov | Assigned To | dhx | ||
Priority | urgent | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.0 | ||||
Target Version | 1.3.0-beta.1 | Fixed in Version | 1.3.0-beta.1 | ||
Summary | 0011738: $g_session_key parameter is not working | ||||
Description |
/**
Trying to use it and is not working, different installation with different $g_session_key value share the session. | ||||
Steps To Reproduce | I made a first installation, configured it and inserted all the users. | ||||
Additional Information | This can lead to potential security issue if a user have different privileges on the two installations. | ||||
Tags | No tags attached. | ||||
I assume you've set $g_cookie_path to a different value for each installation? |
|
I thought that everything about multiple installation was managed by a single option. May be it is useful in the configuration file to add to the comments of $g_session_key that you must modify also $g_cookie_prefix.
So if the user change $g_session_key everything is working as expected, and the user still have the possibility to do more personalisation. |
|
I don't see any need to allow MantisBT administrators to set the session key themselves. We should be able to just assign a random value to it based on the new $g_crypto_random_salt configuration option in MantisBT 1.3.x. |
|
Removed $g_session_key - it is now derived from $g_crypto_master_salt. |
|
Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch |
|
MantisBT: master 2ad35dd7 2009-03-30 10:43 Details Diff |
Fix 0010187: Segment the PHP session via a unique key, so as to play nice with neighboring apps. |
Affected Issues 0010187, 0011738 |
|
mod - core/session_api.php | Diff File | ||
mod - config_defaults_inc.php | Diff File | ||
MantisBT: master 1416aaf1 2010-12-25 04:20 Details Diff |
Issue 0011738: Deprecate $g_session_key configuration option We don't need to use a unique 'session_key' configuration option anymore as we can just derive a unique key from $g_crypto_master_salt. |
Affected Issues 0011738 |
|
mod - config_defaults_inc.php | Diff File | ||
mod - core/obsolete.php | Diff File | ||
mod - core/session_api.php | Diff File | ||
MantisBT: master e487d70f 2010-12-25 08:07 Details Diff |
Fix 0011738: Use an ASCII compatible session key Commit 1416aaf1343a7d2122a099a5e6feb1f847621f2d deprecated $g_session_key in favour of a unique key automatically derived from $g_crypto_master_salt. However a bug existed in this commit whereby the output of the hash() function was raw data, thus leading to failure of PHP sessions. We need to ensure that the session key is ASCII compatible. |
Affected Issues 0011738 |
|
mod - core/session_api.php | Diff File |