[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Recent commit breaks login - instructions on how to fix

Greetings folks,

I just committed a change that breaks login if your running svn trunk
or the 1.2 branch. The change is an enhancement to minimize hijack
attempts via a transaction_id. That ID is checked and changed at every
page load. If it doesn't match, it will (soon) give out a warning that
there was an attempted session hijacking and the session will be
destroyed forcing the user to login again. This should help lower the
risk of someone using an XSS attack to steal the session cookie and do
any damage, and also prevent double page loads which could corrupt

So, the easy way to fix the setup is to drop the session table and
re-created it with the create statement in sql/Pg-central.sql, which
I'll put here too. In the central DB, do the following:

DROP TABLE session;

session_id serial PRIMARY KEY,
token VARCHAR(32) CHECK(length(token) = 32),
last_used TIMESTAMP default now(),
users_id INTEGER NOT NULL references users(id),
transaction_id INTEGER NOT NULL