Quote:
Since you are worried about security, the dual session records makes it possible for someone to hook into a Xoops system even though there has been a logout. I'm not sure of the specific cases, but I've been able to trigger the problem with some frequency. So peoples' concerns about not logging off are VERY VALID and IMPORTANT. There is a hole in the 2.0.16 version.
Yes, that's true - easy password cracking, phpmailer and sessions. But JMorris, David, Monty or Herko insist for long that "Xoops by Skalpa" was secure (even they're not programmers). At the same time they recommend "Protector"
Finally it seems that Nobunobu has worked on such issue on Legacy which i think emulates better "Xoops" than Xoops it-self. Well, to be honest, i didn't test the last release yet! But since XCL programmers have listen and consider to review such comments by the past, i'm quite sure they are prevent such issues.