Anonymous | Login | Signup for a new account | 2019-12-11 17:49 UTC | ![]() |
Main | My View | View Issues | Change Log | My Account |
View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||||||
0002239 | TestLink | General | public | 2009-03-17 14:51 | 2009-04-20 04:38 | ||||||||
Reporter | ifezs001 | ||||||||||||
Assigned To | |||||||||||||
Priority | normal | Severity | major | Reproducibility | always | ||||||||
Status | acknowledged | Resolution | open | ||||||||||
Platform | OS | OS Version | |||||||||||
Product Version | 1.8 RC 5 | ||||||||||||
Fixed in Version | |||||||||||||
Summary | 0002239: Sessions handled uncorrectly | ||||||||||||
Description | The sessions ID' handled incorrectly, that is why this is a major security issue. Steps to Reproduce: 1. Login into Testlink using firefox 2. Open a new tab 3. Login with a different user name 4. Press F5 Actual Result: The second tab Testlink will refresh itself, but the first's tab user's page viewable. Maybe because it is using the same session ID. Expected Result: After refresh I just refreshing, but do not changing user like in the example. | ||||||||||||
Additional Information | The Session ID handling is totaly wrong. Same problem if I login into Testlink, after that I close the browser, tha reopen it. Selecting the history and reselect the Testlink page. Still loged in with the same ssion ID. It should give different session ID | ||||||||||||
Tags | No tags attached. | ||||||||||||
Database (MySQL,Postgres,etc) | |||||||||||||
Browser | Firefox | ||||||||||||
PHP Version | 5 | ||||||||||||
TestCaseID | |||||||||||||
QA Team - Task Workflow Status | |||||||||||||
Attached Files | |||||||||||||
![]() |
|
(0005892) fman (administrator) 2009-03-17 18:40 |
This can not be solved due to method used to manage session. I have same problem when using Mantis. If you have some hint, implemented solution that can help, please let us know. Meanwhile you can not use tabs with TL, I'm sorry |
(0005897) ifezs001 (reporter) 2009-03-18 15:46 |
You shouldn't have to store the session ID in the cookies. When you launch a new tab or browser the session ID should be stored within that executed browser. |
(0005901) fman (administrator) 2009-03-19 01:27 |
Ok, but what we need is a working code, not just the idea. I've googled and found no simple solution |
(0005984) ifezs001 (reporter) 2009-03-25 16:25 |
Ok, I understand taht, but sorry I am not a developer. :) |
(0006446) mhavlat (reporter) 2009-04-20 04:38 |
We could look how other projects cares about it. A acknowledge it. Idea is correct. We should consider if we solve it or take as acceptable danger. |
![]() |
|||
Date Modified | Username | Field | Change |
2009-03-17 14:51 | ifezs001 | New Issue | |
2009-03-17 14:51 | ifezs001 | Browser | => Firefox |
2009-03-17 14:51 | ifezs001 | PHP Version | => 5 |
2009-03-17 18:40 | fman | Note Added: 0005892 | |
2009-03-17 18:40 | fman | Status | new => feedback |
2009-03-18 15:46 | ifezs001 | Note Added: 0005897 | |
2009-03-19 01:27 | fman | Note Added: 0005901 | |
2009-03-25 16:25 | ifezs001 | Note Added: 0005984 | |
2009-04-20 04:38 | mhavlat | Note Added: 0006446 | |
2009-04-20 04:38 | mhavlat | Status | feedback => acknowledged |
Copyright © 2000 - 2019 MantisBT Team |