Multiple installations = same session even if diff login...

Discuss, research, share, find, and solve bugs

Multiple installations = same session even if diff login...

Postby pinoguin » 6:28am, Fri 03 Apr, 2009

Hi,

This worries me... we have multiple installations of phplist on the same web server. I login to the first installation. Opened another tab in my browser and viewed the 2nd installation and *boom* it auto-logins me.

Same happens with the 3rd installation & 4th... etc. As long as I'm logged in at the first installation the sessions are accepted for all.

For a business with multiple clients set on multiple installations, this is a troubling security issue...



Best regards,
Elijah
pinoguin
PL Nut
 
Posts: 44
Joined: 4:01pm, Sat 26 Jan, 2008

multiple installations?

Postby pradeep » 8:05am, Fri 03 Apr, 2009

Does that you help you in speeding the queue from phplist multiple times? I was looking to implement this alternative, but did not find any info on how to have multiple implementations without conflict.
pradeep
phpLister
 
Posts: 6
Joined: 8:01am, Fri 03 Apr, 2009

Postby pinoguin » 8:11am, Fri 03 Apr, 2009

No idea how it speeds things up, it should work fine since they have their own db's and folders.

My only concern is the login, which every client can login to another client as long as his session is on for the first one.
pinoguin
PL Nut
 
Posts: 44
Joined: 4:01pm, Sat 26 Jan, 2008

Postby localhorst » 9:54am, Fri 03 Apr, 2009

you'd better install each instance to its own subdomain.

then, you shouldn't have any problems.
localhorst
PL Nut
 
Posts: 21
Joined: 7:38pm, Wed 04 Mar, 2009
Location: Luxembourg

Postby pinoguin » 10:07am, Fri 03 Apr, 2009

hmmm a subdomain? ok we can try that one. thanks!
pinoguin
PL Nut
 
Posts: 44
Joined: 4:01pm, Sat 26 Jan, 2008

Postby CS2 » 1:34pm, Fri 03 Apr, 2009

The reason for this is that PHPlist stores auth information in session variables. When you access a page it only checks the login name and whether you are logged in, it does not check the installation name. However, it will only auto-log you in if the login name is the same on each installation (e.g. "admin"). Thus, the simple fix to this is to make sure you do not create any logins that are duplicated on other installations.

If you want it to also force *you* to login for each installation, you will need to change the login name for the super-admin login from "admin" to something else.
CS2
PL Master
 
Posts: 216
Joined: 2:20am, Wed 04 Feb, 2009

Postby H2B2 » 1:36pm, Fri 03 Apr, 2009

Seems related to:
http://mantis.phplist.com/view.php?id=15029
http://forums.phplist.com/viewtopic.php?p=48489#48489

If you want you can add a note to the mantis report.
H2B2
Moderator
 
Posts: 7188
Joined: 1:51am, Wed 15 Mar, 2006

Postby CS2 » 1:46pm, Fri 03 Apr, 2009

I added a note to the Mantis link suggesting that storing $installation_name as a session variable, comparing that with the local variable on each access check then logging out the user if they don't match should correct this as a simple fix.
CS2
PL Master
 
Posts: 216
Joined: 2:20am, Wed 04 Feb, 2009

Postby pinoguin » 1:48pm, Fri 03 Apr, 2009

Many thanks, looking forward to the next version.
pinoguin
PL Nut
 
Posts: 44
Joined: 4:01pm, Sat 26 Jan, 2008

Re: Multiple installations = same session even if diff login...

Postby edv » 12:06pm, Thu 18 Jun, 2009

I have multiple installations on different domains. One production installation on a hosted webserver. One development and test installation on my computer with XAMPP.
On the test installation I have a copy of the production database. The username/passwords for the admin are the same on both installs.

Now when I'm working on the test install, It has happened several times that I was suddenly 'transferred' to the admin-backend of the production install. E.g. when I add a list in the test install, I suddenly find myself in the production install!

This looks like a serious bug in the admin security. At least it introduces the risk of performing unwanted experiments in the production install, while thinking I'm working in the test install. So now I keep an eye on the address bar of the browser at every move I make.

Could this be caused by the browser cache? I'm working in Chrome now, but I just tested this in FF and there it behaves just the same.

e-
edv
phpLister
 
Posts: 8
Joined: 6:08pm, Tue 09 Jun, 2009

Re: Multiple installations = same session even if diff login...

Postby H2B2 » 3:05am, Thu 29 Oct, 2009

Storing sessions in a database table should solve this issue.
See viewtopic.php?f=17&t=18285#p69480
H2B2
Moderator
 
Posts: 7188
Joined: 1:51am, Wed 15 Mar, 2006

Re: Multiple installations = same session even if diff login...

Postby adrian15 » 6:24pm, Fri 15 Jan, 2010

edv wrote:When I'm working on the test install, It has happened several times that I was suddenly 'transferred' to the admin-backend of the production install. E.g. when I add a list in the test install, I suddenly find myself in the production install!


I thought that I suffered the same bug as you but I am wrong. This is not a bug. I think it is a mis-configuration.

As I say in the bug issue: ( http://mantis.phplist.com/view.php?id=15403 )

It seems that I forgot to edit these config.php variables:

$pageroot = '/pruebala5/lists';
$adminpages = '/pruebala5/lists/admin';

Does it solve your problem?

adrian15
adrian15
PL Nut
 
Posts: 20
Joined: 8:02pm, Mon 16 Nov, 2009


Return to Bug Discussion

Who is online

Users browsing this forum: No registered users and 0 guests