Mantis Bugtracker          
testlink.org

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0002239TestLinkGeneralpublic2009-03-17 14:512009-04-20 04:38
Reporterifezs001 
Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
StatusacknowledgedResolutionopen 
PlatformOSOS Version
Product Version1.8 RC 5 
Fixed in Version 
Summary0002239: Sessions handled uncorrectly
DescriptionThe sessions ID' handled incorrectly, that is why this is a major security issue.

Steps to Reproduce:

1. Login into Testlink using firefox
2. Open a new tab
3. Login with a different user name
4. Press F5

Actual Result:
The second tab Testlink will refresh itself, but the first's tab user's page viewable. Maybe because it is using the same session ID.

Expected Result:
After refresh I just refreshing, but do not changing user like in the example.

Additional Information
The Session ID handling is totaly wrong. Same problem if I login into Testlink, after that I close the browser, tha reopen it. Selecting the history and reselect the Testlink page. Still loged in with the same ssion ID. It should give different session ID
TagsNo tags attached.
Database (MySQL,Postgres,etc)
BrowserFirefox
PHP Version5
TestCaseID
QA Team - Task Workflow Status
Attached Files

- Relationships

-  Notes
(0005892)
fman (administrator)
2009-03-17 18:40

This can not be solved due to method used to manage session.
I have same problem when using Mantis.
If you have some hint, implemented solution that can help, please let us know.
Meanwhile you can not use tabs with TL, I'm sorry
(0005897)
ifezs001 (reporter)
2009-03-18 15:46

You shouldn't have to store the session ID in the cookies.

When you launch a new tab or browser the session ID should be stored within that executed browser.
(0005901)
fman (administrator)
2009-03-19 01:27

Ok, but what we need is a working code, not just the idea.
I've googled and found no simple solution
(0005984)
ifezs001 (reporter)
2009-03-25 16:25

Ok, I understand taht, but sorry I am not a developer. :)
(0006446)
mhavlat (reporter)
2009-04-20 04:38

We could look how other projects cares about it. A acknowledge it. Idea is correct. We should consider if we solve it or take as acceptable danger.

- Issue History
Date Modified Username Field Change
2009-03-17 14:51 ifezs001 New Issue
2009-03-17 14:51 ifezs001 Browser => Firefox
2009-03-17 14:51 ifezs001 PHP Version => 5
2009-03-17 18:40 fman Note Added: 0005892
2009-03-17 18:40 fman Status new => feedback
2009-03-18 15:46 ifezs001 Note Added: 0005897
2009-03-19 01:27 fman Note Added: 0005901
2009-03-25 16:25 ifezs001 Note Added: 0005984
2009-04-20 04:38 mhavlat Note Added: 0006446
2009-04-20 04:38 mhavlat Status feedback => acknowledged



Copyright © 2000 - 2019 MantisBT Team
Powered by Mantis Bugtracker