Hello.
I'm using Fossil version 1.22 (20120317175325). When a user registers, a
record in the user table is created with a cookie like this:
6/546EB5C82F6724C84B0CFC7007108922807CDE3F079E1FC92B/8911f7f7d93766e2/test
The code that generates such cookies is in src/login.c, 1239:
zCookie = db_text(0, "SELECT '%d/' || hex(randomblob(25))", uid);
However, the code that checks the credentials (src/login.c, 802) expects
cookies to be of the form HASH/CODE/USER.
So, the user enters his login and password in the web UI, Fossil accepts
that (doesn't say about a wrong password), sets the cookie but the user is
still anonymous, even though the cookie is there. The new account only
becomes available when the password is reset by an admin.
Is that a bug or a misconfiguration?
--
Using Opera's revolutionary email client: http://www.opera.com/mail/
_______________________________________________
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
