With Xoops 2.0.16 and Protector 3.02 a number of uncessary??? session records are being created for each user session.

Protector creates a session record when a user first lands on a Xoops site. When the user logs in, another session record is created. When the user logs off, the state of the session records are changed, but the records are never deleted.

Unless you use something like Xoops Care on a regular basis, you can get a huge build-up of unnecessary session records. On a high traffic site, this quickly becomes unmanagemeable.

1. Why does Protector create its own session record?
2. Why doesn't the core re-use the protector's session record?
3. Why aren't the session records deleted when a user logs out?
4. But, if a session record is needed to track a non-logged in user, why isn't there some automatic (e.g. cron driven means) of deleting the old records? The records are marked as inactive.

If anyone knows the answer to these questions, it would be helpful. I'm trying to create a single unified login for multiple independent products, and the multiple session records are creating a real problem.

Thanks.

I cannot understand what you mean at all.

What is "session"?

- db session (connection)

Protector connects db former than common process.
It can effects "max connection" of db, certainly.

- php session

Protector never creates php session.

Or do you mean the feature of "session hi-jacking"?
If yes, adjust the option of "Protected IP bits for the session"

When a user connects to Xoops, a new record is placed into the (xoops_)session table in the Xoops database. When a user logs in, a second record is entered into the session table. Since the first record's session data has "protector" session variables, I thought that your Protector module was making the entry. Given your response, I now have to assume that the Xoops core is making the entry, and when the login has been completed, a second entry for the same user session is then placed into the session table.

There should be only one entry per session... and it needs to be deleted at some point, which it is not. So, I guess there are multiple core bugs that are causing the creation the two records and their lack of deletion... so I will start searching through the core for the problem.

Since you are worried about security, the dual session records makes it possible for someone to hook into a Xoops system even though there has been a logout. I'm not sure of the specific cases, but I've been able to trigger the problem with some frequency. So peoples' concerns about not logging off are VERY VALID and IMPORTANT. There is a hole in the 2.0.16 version.

Thanks.

Quote:
Yes, that's true - easy password cracking, phpmailer and sessions. But JMorris, David, Monty or Herko insist for long that "Xoops by Skalpa" was secure (even they're not programmers). At the same time they recommend "Protector"

Finally it seems that Nobunobu has worked on such issue on Legacy which i think emulates better "Xoops" than Xoops it-self. Well, to be honest, i didn't test the last release yet! But since XCL programmers have listen and consider to review such comments by the past, i'm quite sure they are prevent such issues.

Quote:You should check the session of XOOPS.

At least, The verion of core 2.0.16 from xoops.org never creates a new session record on loggin-in.
(Same session id)

However, 2.0.16aJP from xoopscube.org regenerates the session id on loggin-in.
This is a code for preventing "session fixation".
(Of course, 2.1 Legacy does the same behavior)

(I think xoopscube's way is better than xoops's way)


Protector just checks session-hijacking from the other IP(range) for some groups like "administrators".