[ZBX-5419] session not terminated upon logout Created: 2012 Aug 06  Updated: 2020 Jul 16  Resolved: 2012 Aug 10

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: API (A), Frontend (F)
Affects Version/s: None
Fix Version/s: 2.0.3rc1, 2.1.0

Type: Defect (Security) Priority: Critical
Reporter: richlv Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: security, sessions
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

(1) log in, log out. session's status is still 0 in the db.
this leaves multiple valid session ids behind and reduces security - even if you properly log out, somebody may reuse that session id.

(2) another problem is that guest session is not terminated after logging in as another user.

access the frontend as guest, log in. notice how logged in user count is 2.
the reason is that previous guest session has not been set to expired.
when logging in, we should set the previous guest session to expired - there is no reason for it to sit around (it is not reused - if we log out right away, a new



 Comments   
Comment by Toms (Inactive) [ 2012 Aug 10 ]

Fixed in dev. branch: svn://svn.zabbix.com/branches/dev/ZBX-5419

Comment by Pavels Jelisejevs (Inactive) [ 2012 Aug 13 ]

TESTED.

Comment by Toms (Inactive) [ 2012 Aug 13 ]

Resolved in 2.0.3rc1 r29552, 2.1.0 r29553

Generated at Fri Mar 29 09:02:18 EET 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.