Edgewall Software

Opened 19 years ago

Closed 18 years ago

#2147 closed defect (fixed)

Settings -> changing SID is not protected against index collision

Reported by: neta <neta@…> Owned by: Jonas Borgström
Priority: normal Milestone:
Component: general Version: 0.9b1
Severity: major Keywords: sid index collision
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:


Using the settings form, any anonymous user has the possibility to customize a SID string instead o using the provided random key. The code update is not protected against a sid already existing condition. Since authenticated users usually have sid=name, is fairly easy for anyone to drive the application into unexpected failure.

Verified against Trac 0.9b1 with PostgreSQL backend.

Attachments (0)

Change History (2)

comment:1 by Christian Boos, 18 years ago

Milestone: 0.12

Might be considered for milestone:0.12

comment:2 by Christian Boos, 18 years ago

Milestone: 0.12
Resolution: fixed
Status: newclosed

Well, I verified this, and currently when trying to enter an already taken sid, Trac produces the following error:

Session "test" already exists.
Please choose a different session ID.

So I think that the SID is now protected against index collision.

As I couldn't figure out which change since 0.9b1 implemented this, I leave the milestone field blank.

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain Jonas Borgström.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Jonas Borgström to the specified user.

Add Comment

E-mail address and name can be saved in the Preferences .
Note: See TracTickets for help on using tickets.