We had a error reported to us by penetration testers who were auditing a new site for a client. If the same user logs in _simultaneously_ then both sessions will end up authenticated. This looks like it's because the session_limit is checking for sessions in the DB - but new sessions aren't flushed until the end of the first request - a race condition.
I've attached a patch which adds a check on the second request which works around the problem. It might be better to force sessions to be flushed on creation - although you'd need db transactions (innodb) for that to work without introducing another race - and they're not a installation requirement. The performance would also likely be worse.
Comment | File | Size | Author |
---|---|---|---|
session-limit-racefix.diff | 674 bytes | josh_robb | |
Comments
Comment #1
deekayen CreditAttribution: deekayen commentedcommitted to master and 6.x-2.x