Infinite redirect loop caused by logged out user in usr_session table
Bug #1734194 reported by
Robert Lyon
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
Critical
|
Robert Lyon | ||
16.10 |
Fix Released
|
Critical
|
Unassigned | ||
17.04 |
Fix Released
|
Critical
|
Unassigned | ||
17.10 |
Fix Released
|
Critical
|
Unassigned | ||
18.04 |
Fix Released
|
Critical
|
Robert Lyon |
Bug Description
The USER object contains the id of the user that is logged in and it matches up to the usr_session table so we know which session is matched to what user.
When one is not logged in the USER object has id = 0
If for some reason we end up with usr = 0 in the usr_session table we end up in an infinite loop
because it tries to log out that dummy user but can't
It should never end up in the usr_session table.
So we need to do these things:
1) When saving data to usr_session table never save if user id = 0, instead throw warning
to avoid the problem
2) When reading usr_session data in auth_setup() function to ignore fetching info for usr = 0
to ignore bad data
behatnotneeded
Changed in mahara: | |
importance: | Undecided → Critical |
milestone: | none → 18.04.0 |
status: | New → In Progress |
assignee: | nobody → Robert Lyon (robertl-9) |
To post a comment you must log in.
Patch for "master" branch: https:/ /reviews. mahara. org/8306