Project

General

Profile

Bug #71

User Sessions Appear Multiple Times

Added by Luke Murphey about 14 years ago. Updated over 13 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Luke Murphey
Category:
Access Control
Target version:
1.0.1
Start date:
11/12/2010
Due date:
11/14/2010
% Done:

100%

Description

Sometimes, a user show two sessions on the sessions dashboard. This appears to be the same session because the tracking numbers and login times are identical.

Related issues

Related to ThreatFactor NSIA - Bug #247: Does Not Recover Session when Inactivating Old Session Closed 11/05/2010 11/05/2010

History

#1 Updated by Luke Murphey about 14 years ago

After an existence of this was noted, the sessions table was examined. Two sessions for the given session tracking number existed with the status code of 1 (SESSION_ACTIVE).

This appears to be a session ID that was not expired correctly.

To help address this issue, the code that creates a new SID and clears the old ones has been made a commit-table transaction so that creation of the new SID and expiring of the old one is atomic. Change was made in version 0.8.30 (June 29th, 2008). However, this did not solve the problem.

#2 Updated by Luke Murphey about 14 years ago

  • Target version set to 0.9 (Beta)

#3 Updated by Luke Murphey almost 14 years ago

  • Assignee set to Luke Murphey

#4 Updated by Luke Murphey almost 14 years ago

  • Target version changed from 0.9 (Beta) to 1.0 (Release)

Moving to version 1.0.

This issue presents no real problems and will be fixed when the issue can be more definitely analyzed.

#5 Updated by Luke Murphey over 13 years ago

  • Target version deleted (1.0 (Release))

Cannot find a fix for this one. This is a low severity issue and thus is going to be disconnected from release 1.0.

#6 Updated by Luke Murphey over 13 years ago

  • Category set to Access Control

#7 Updated by Luke Murphey over 13 years ago

Noticed today that this issue seems to crop up exactly at the one hour mark.

My session stopped "due to inactivity" even though I had plenty of activity. The expired session was still present and had a creation time of Nov 12, 2010 7:22:31 PM with a last activity time of Nov 12, 2010 8:22:30. My next session had a creation time of Nov 12, 2010 8:22:39 PM.

It seems like the session system is not using the last activity time correctly.

#8 Updated by Luke Murphey over 13 years ago

The system does not appear to be using the session activity dates at all for determining if a session is still valid.

#9 Updated by Luke Murphey over 13 years ago

  • Due date set to 11/14/2010
  • Status changed from New to In Progress
  • Target version set to 1.0.1
  • Start date changed from 04/08/2010 to 11/12/2010
  • % Done changed from 0 to 100

Just need to complete testing

#10 Updated by Luke Murphey over 13 years ago

  • Status changed from In Progress to Closed

Also available in: Atom PDF