You are viewing a plain text version of this content. The canonical link for it is here.
Posted to axkit-dev@xml.apache.org by Kjetil Kjernsmo <kj...@kjernsmo.net> on 2005/04/28 03:04:32 UTC
ANNOUNCE: AxKit-XSP-BasicSession-0.23_2 [security]
Dear all,
I have just uploaded a new developer release of BasicSession to CPAN. A
review performed by the original author Mike Nachbaur and myself,
prompted by the problems Tom Kirkpatrick has reported with the module
revealed that BasicSession was in fact not invalidating sessions
properly.
This may have security implications as information may be carried over,
including authentication tokens, to a session even though the user
believed that the previous session was exited.
We believe that we have fixed this particular problem, as well as a
number of smaller problems with this release. Given that there are
security implications, I felt that it was appropriate to release this
now, as well as this short advisory.
Note, however, that we have not tested this extensively, and while it
seems to be OK with the File and DB_File backend, and usually OK with
the PostgreSQL backend, we have noted problems with the latter, it has
been seen to sit there and spin indefinitely. So, until more testing
has been performed, one has the choice between a module that has
security implications, and one that has seen little testing and has
known issues. So, that's why this has been uploaded as a developer
release and not an ordinary release. Caveat programmor. Your call. No
warranties. Et cetera.
It appears to clear out some quite confusing issues that has been
present in earlier releases, allthough we're not sure it corrects all
known problems. Success or failure reports are welcome.
So to the formalities: I report that the uploaded file
AxKit-XSP-BasicSession-0.23_2.tar.gz
has entered CPAN as
file:
$CPAN/authors/id/K/KJ/KJETILK/AxKit-XSP-BasicSession-0.23_2.tar.gz
size: 14668 bytes
md5: 4e6cc5f2ab406e198bf0ddc3e33b8688
From the changelog:
0.23_2 2005-04-28 02:45
- Invalidation of session didn't work properly, which has
obvious SECURITY issues. We found this has a result of a
review sparked by inquires by Tom Kirkpatrick.
- Tom Kirkpatrick pointed out that get-last-accessed-time
returned a meaningless time. Mike Nachbaur provided a patch
for that.
- When using a Pg based backend, different defaults should
used.
- Actually implement the comment in enumerate.
- Some documentation cleanups.
- Added quite a lot of debugging statements.
Cheers,
Kjetil
--
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
kjetil@kjernsmo.net webmaster@skepsis.no editor@learn-orienteering.org
Homepage: http://www.kjetil.kjernsmo.net/ OpenPGP KeyID: 6A6A0BBC