Entering panic mode! You are correct about 1). There is a major bug in 1.74.8. One line in tools.py appears to be missing. I must have accidentally while applying the "remember me" patch.
I have fixed this in trunk. I have posted 1.74.9. !!! EVERYONE PLEASE UPGRADE. THIS IS A MAJOR SECURITY ISSUE !!! 2) is not a problem. That is normal web2py behavior. It recycles the sessions tokens. All auth variables are cleared at logout. Massimo On Feb 1, 1:01 pm, sveinh <sve...@gmail.com> wrote: > Hi > > I'd like to report two things I have encountered regarding > authentication: > > 1) Login with no (or wrong) password > I have made no changes to the source, open the Welcome application, > register a new user, then login. When logging in, I use the same e- > mail as when registering, and password blank. > > It logs me in successfully. > > Is this a bug? > > 2) Session present after logout > I set a session variable while logged in. Log the user out, then in > again, the session variable is still present. I would assume that a > session should be cleared when logging out? Or will the user be > connected to the same session when logging in again before session > timeout? > > In advance, thanks! > > -sveinh > > My runtime env: > > Running with Firefox on Ubuntu 9.10 Desktop: > > python2.5 web2py.py --nogui > web2py Enterprise Web Framework > Created by Massimo Di Pierro, Copyright 2007-2010 > Version 1.74.8 (2010-01-24 16:46:23) > Database drivers available: SQLite3 > Starting cron... > choose a password:something > please visit: > http://127.0.0.1:8000 > use "kill -SIGTERM 5364" to shutdown the web2py server -- You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to web...@googlegroups.com. To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/web2py?hl=en.