Quote:
bills wrotes:
When a user connects to Xoops, a new record is placed into the (xoops_)session table in the Xoops database. When a user logs in, a second record is entered into the session table.
You should check the session of XOOPS.
At least, The verion of core 2.0.16 from xoops.org never creates a new session record on loggin-in.
(Same session id)
However, 2.0.16aJP from xoopscube.org regenerates the session id on loggin-in.
This is a code for preventing "session fixation".
(Of course, 2.1 Legacy does the same behavior)
(I think xoopscube's way is better than xoops's way)
Protector just checks session-hijacking from the other IP(range) for some groups like "administrators".