Author Topic: Possible bug? With user account on 2.7  (Read 2151 times)

Offline Bramus

  • Posts: 608
  • Gender: Male
    • BRAMUS Internet Services
Possible bug? With user account on 2.7
« on: May 14, 2008, 11:48:34 PM »
Hi guys,

I was just working on a website and made a new group and a new user for a website. The website is like this:

Code: [Select]
Public_HTML
         -DE
         -FR
         -NL
         -UK
index.html

As you can see i'm using 4 dirs with the language as name. And in those folders are installed the WB 2.7 versions. So i have installed 4x WB on 1 server with 1 database but WITH PREFIX!!

Why i have done the 4 dirs is because of language and as the sites are really big with over 100 pages i decided to  use seperate installations. Now i changed the session to all the same so people could switch if logged in with same user/pass. But what now happens:

I made a user on the NL page like "beheerder". On the other 3 installations i havent made anything yet only the session name to be all the same. If i now use a hyperlink from the NL admin like http://www.website.com/UK/admin  i'm suddenly Logged in WHILE THAT USER DOES NOT EXCIST ON THE UK INSTALLATION!

How is this possible, does WB not check if that user even excists if it is using the same sessionname?

If this is correct it COULD be (change is like 1 on 1.000.000) that i have a site with Admin as login name and i check out an other url with the same session name (even it takes a random number) and that installation has also an Admin as login that i suddenly are logged in on that installation?

Is this a bug or am i getting paranoid because of the sleep i did not get the last 5 days?
BRAMUS Internet Services

Offline ruebenwurzel

  • Betatester
  • **
  • Posts: 8383
  • Gender: Male
  • Keep on Rockin
    • Familie Gallas Online
Re: Possible bug? With user account on 2.7
« Reply #1 on: May 15, 2008, 07:16:46 AM »
Hello,

Quote
How is this possible, does WB not check if that user even excists if it is using the same sessionname?

If this is correct it COULD be (change is like 1 on 1.000.000) that i have a site with Admin as login name and i check out an other url with the same session name (even it takes a random number) and that installation has also an Admin as login that i suddenly are logged in on that installation?

Is this a bug or am i getting paranoid because of the sleep i did not get the last 5 days?

Exactly for this reason we introduced in WB 2.7 at installation a random session identifier. this makes shure that you cannot login in another WB installation even if there exists the same user with the same password. this was possible wit all versions previous to 2.7 and a bug wich now is fixed in WB 2.7.

So as i understand you correct you explicitely wanna revert this and make WB 2.7 buggy  :-D. But for to reach what you want you need to add the user to all 4 installations with the same name and the same password. The difference why it does not work (even if you use the same session identifier) is that the user table for every installation has a different table prefix.

Matthias

 

postern-length