Hi Thanks for the update.
Regarding 2), I'm not talking about auth-tokens in Session, but whatever other tokens the programmer has entered into session. Should these not also be cleared? sveinh On Feb 1, 8:49 pm, mdipierro <mdipie...@cs.depaul.edu> wrote: > Entering panic mode! > > You are correct about 1). There is a major bug in 1.74.8. One line in > tools.py appears to be missing. I must have accidentally while > applying the "remember me" patch. > > I have fixed this in trunk. I have posted 1.74.9. > > !!! EVERYONE PLEASE UPGRADE. THIS IS A MAJOR SECURITY ISSUE !!! > > 2) is not a problem. That is normal web2py behavior. It recycles the > sessions tokens. All auth variables are cleared at logout. > > Massimo > > On Feb 1, 1:01 pm, sveinh <sve...@gmail.com> wrote: > > > Hi > > > I'd like to report two things I have encountered regarding > > authentication: > > > 1) Login with no (or wrong) password > > I have made no changes to the source, open the Welcome application, > > register a new user, then login. When logging in, I use the same e- > > mail as when registering, and password blank. > > > It logs me in successfully. > > > Is this a bug? > > > 2) Session present after logout > > I set a session variable while logged in. Log the user out, then in > > again, the session variable is still present. I would assume that a > > session should be cleared when logging out? Or will the user be > > connected to the same session when logging in again before session > > timeout? > > > In advance, thanks! > > > -sveinh > > > My runtime env: > > > Running with Firefox on Ubuntu 9.10 Desktop: > > > python2.5 web2py.py --nogui > > web2py Enterprise Web Framework > > Created by Massimo Di Pierro, Copyright 2007-2010 > > Version 1.74.8 (2010-01-24 16:46:23) > > Database drivers available: SQLite3 > > Starting cron... > > choose a password:something > > please visit: > > http://127.0.0.1:8000 > > use "kill -SIGTERM 5364" to shutdown the web2py server -- You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to web...@googlegroups.com. To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/web2py?hl=en.
