testlink.org
| Anonymous | Login | Signup for a new account | 2019-12-11 17:49 UTC |  |
| Main | My View | View Issues | Change Log | My Account |
| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||||||
| 0002239 | TestLink | General | public | 2009-03-17 14:51 | 2009-04-20 04:38 | ||||||||
| Reporter | ifezs001 | ||||||||||||
| Assigned To | |||||||||||||
| Priority | normal | Severity | major | Reproducibility | always | ||||||||
| Status | acknowledged | Resolution | open | ||||||||||
| Platform | OS | OS Version | |||||||||||
| Product Version | 1.8 RC 5 | ||||||||||||
| Fixed in Version | |||||||||||||
| Summary | 0002239: Sessions handled uncorrectly | ||||||||||||
| Description | The sessions ID' handled incorrectly, that is why this is a major security issue. Steps to Reproduce: 1. Login into Testlink using firefox 2. Open a new tab 3. Login with a different user name 4. Press F5 Actual Result: The second tab Testlink will refresh itself, but the first's tab user's page viewable. Maybe because it is using the same session ID. Expected Result: After refresh I just refreshing, but do not changing user like in the example. | ||||||||||||
| Additional Information | The Session ID handling is totaly wrong. Same problem if I login into Testlink, after that I close the browser, tha reopen it. Selecting the history and reselect the Testlink page. Still loged in with the same ssion ID. It should give different session ID | ||||||||||||
| Tags | No tags attached. | ||||||||||||
| Database (MySQL,Postgres,etc) | |||||||||||||
| Browser | Firefox | ||||||||||||
| PHP Version | 5 | ||||||||||||
| TestCaseID | |||||||||||||
| QA Team - Task Workflow Status | |||||||||||||
| Attached Files | |||||||||||||
 Relationships |
|
 Relationships |
|
Notes |
|
|
(0005892) fman (administrator) 2009-03-17 18:40 |
This can not be solved due to method used to manage session. I have same problem when using Mantis. If you have some hint, implemented solution that can help, please let us know. Meanwhile you can not use tabs with TL, I'm sorry |
|
(0005897) ifezs001 (reporter) 2009-03-18 15:46 |
You shouldn't have to store the session ID in the cookies. When you launch a new tab or browser the session ID should be stored within that executed browser. |
|
(0005901) fman (administrator) 2009-03-19 01:27 |
Ok, but what we need is a working code, not just the idea. I've googled and found no simple solution |
|
(0005984) ifezs001 (reporter) 2009-03-25 16:25 |
Ok, I understand taht, but sorry I am not a developer. :) |
|
(0006446) mhavlat (reporter) 2009-04-20 04:38 |
We could look how other projects cares about it. A acknowledge it. Idea is correct. We should consider if we solve it or take as acceptable danger. |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2009-03-17 14:51 | ifezs001 | New Issue | |
| 2009-03-17 14:51 | ifezs001 | Browser | => Firefox |
| 2009-03-17 14:51 | ifezs001 | PHP Version | => 5 |
| 2009-03-17 18:40 | fman | Note Added: 0005892 | |
| 2009-03-17 18:40 | fman | Status | new => feedback |
| 2009-03-18 15:46 | ifezs001 | Note Added: 0005897 | |
| 2009-03-19 01:27 | fman | Note Added: 0005901 | |
| 2009-03-25 16:25 | ifezs001 | Note Added: 0005984 | |
| 2009-04-20 04:38 | mhavlat | Note Added: 0006446 | |
| 2009-04-20 04:38 | mhavlat | Status | feedback => acknowledged |
|
Issue History |
| Copyright © 2000 - 2019 MantisBT Team |
 |