[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Recent commit breaks login - instructions on how to fix
- Subject: Recent commit breaks login - instructions on how to fix
- From: "Christopher Murtagh" <..hidden..>
- Date: Tue, 21 Nov 2006 01:17:17 -0500
Greetings folks,
I just committed a change that breaks login if your running svn trunk
or the 1.2 branch. The change is an enhancement to minimize hijack
attempts via a transaction_id. That ID is checked and changed at every
page load. If it doesn't match, it will (soon) give out a warning that
there was an attempted session hijacking and the session will be
destroyed forcing the user to login again. This should help lower the
risk of someone using an XSS attack to steal the session cookie and do
any damage, and also prevent double page loads which could corrupt
data.
So, the easy way to fix the setup is to drop the session table and
re-created it with the create statement in sql/Pg-central.sql, which
I'll put here too. In the central DB, do the following:
DROP TABLE session;
CREATE TABLE session(
session_id serial PRIMARY KEY,
token VARCHAR(32) CHECK(length(token) = 32),
last_used TIMESTAMP default now(),
users_id INTEGER NOT NULL references users(id),
transaction_id INTEGER NOT NULL
);
Cheers,
Chris