On Fri, 25 Aug 2000, Pavlos Christoforou wrote:
On Fri, 25 Aug 2000, Curtis Maloney wrote:
Greetings,
I'm using FSSession to store login details about visitors to our site. It is important that users only be able to see their own data (of course).
Today, however, I find out that some mistakes have been happening. People are finding themselves logged in when they haven't yet, and others finding they're logged in as someone else. This is, obivously, a problem.
I cannot see how this could be happening, since the Session ID is stored in a cookie, which should be unique to the client.
This is very weird indeed. Nobody has ever reported a similar problem. Can you send me the DTML method that calls the FSSession?
Yes. Very weird. I'm not doing anything fancy. <dtml-call FSSession> is in the standard_html_header. Once the users name/password has been verified from the db, i use: <dtml-call "FSSession.set('ReturnerID',ReturnerID)"> to set the value, and test if the user is logged in with : <dtml-if "FSSession.has_key('ReturnerID')"> Logging out works fine, with: <dtml-if "FSSession.has_key('ReturnerID')"> <dtml-call "FSSession.delete('ReturnerID')"> </dtml-if> This was aparently working fine for quite some time (about a month of public usage), until last week. We have examined logs, and seen that one person accidentaly used the system under someone elses ReturnerID, and then rectified their mistake.
Pavlos
I really would rather continue using FSSession, as it has worked fine for me in the past, and I find it very simle to use. It would also save me from having to totaly rewrite the site. (o8 Then again, I am considering using Zope level user authentication in the next revision of this site, but that is already planned to be a major overhaul. Really, I just want to know what's going wrong... Have a better one, Curtis