User tests: Successful: Unsuccessful:
See: http://issues.joomla.org/tracker/joomla-cms/5214
My community has over 300.000 registered Members and est. 200.000 users daily. When entering joomla, a lot of users get empty sessions. That means, the Session-ID is just "".
If one of these users log in with the empty session, some of the others are also logged in with the same account. They can edit the profile, read/write personal messages etc. That's a huge problem, because no one wants others to enter the profile.
Delete all the cookies, and enter Joomla website.
User gets an unique Session-ID.
You are logged in as another user and/or share the empty Session-ID with other people. This happens with low likelihood. But if you have lots of users, it happens a lot.
Joomla: Joomla! 2.5.27 Stable [ Ember ] 30-September-2014 14:00 GMT
Webserver: nginx/1.2.1
Database-version: 5.5.40-0+wheezy1-log
PHP: fpm-fcgi
You can also reproduce this issue, if you change your session-id cookie within browser developer tools.
Labels |
Added:
?
|
Category | ⇒ | Libraries |
Rel_Number | ⇒ | 5214 | |
Relation Type | ⇒ | Pull Request for |
@creativeprogramming are you able to test it? As you report the same issue. Thanks
I started the test for this patch today (sorry for delay but it's a production environment)
I'll let you know if problem disappears with this patch
@creativeprogramming were you able to test this?
Status | Pending | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2016-04-15 13:28:51 |
Closed_By | ⇒ | brianteeman |
Thanks to @euismod2336 for pointing out that this is for Joomla 2.5 which is now end of life and unsupported so I am closing this.
Thanks @enesbil i have just send a PR to fix CS issues to make travis happy with us https://github.com/enesbil/joomla-cms/pull/1/files
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/6430.