On Sat, Mar 31, 2012 at 6:03 AM, Justin Forest <h...@umonkey.net> wrote:
> Hello. > > I'm using Fossil version 1.22 (20120317175325). When a user registers, a > record in the user table is created with a cookie like this: > > 6/**546EB5C82F6724C84B0CFC70071089**22807CDE3F079E1FC92B/** > 8911f7f7d93766e2/test > > The code that generates such cookies is in src/login.c, 1239: > > zCookie = db_text(0, "SELECT '%d/' || hex(randomblob(25))", uid); > > However, the code that checks the credentials (src/login.c, 802) expects > cookies to be of the form HASH/CODE/USER. > > So, the user enters his login and password in the web UI, Fossil accepts > that (doesn't say about a wrong password), sets the cookie but the user is > still anonymous, even though the cookie is there. The new account only > becomes available when the password is reset by an admin. > > Is that a bug or a misconfiguration? > Without looking, I would guess it is a bug. Neither I nor anybody I know uses it, it is not checked as part of our pre-release testing checklist, and so it seems like it would be easy for bugs to creep in unnoticed. > > -- > Using Opera's revolutionary email client: http://www.opera.com/mail/ > > ______________________________**_________________ > fossil-users mailing list > fossil-users@lists.fossil-scm.**org <fossil-users@lists.fossil-scm.org> > http://lists.fossil-scm.org:**8080/cgi-bin/mailman/listinfo/**fossil-users<http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users> > -- D. Richard Hipp d...@sqlite.org
_______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
