#18 SVNManager not checking session ID info correctly

open-later
nobody
None
5
2009-12-09
2009-11-03
Anonymous
No

If there are two SVNManager installs on a single server under the same domain but different directories, a successful login on one results in any other installs reading and using the session ID info without checking if it's valid for the current install. It appears that the session ID is checked against the TDL only.

To reproduce:

1st SVNManger install accessable via http://foo.domain.tdl/svn1
User ID 1 - admin
User ID 2 - non-admin
User ID 3 - non-admin

2nd SVNManger install accessable via http://foo.domain.tdl/svn2
User ID 1 - non-admin
User ID 2 - admin
User ID 3 - non-admin

If user ID 1 logs into svn1, they are granted access under their account with admin rights. If that user then navigates to svn2 without logging out first, they have access to svn2 as user ID 1 (menus and profile reflects the name of UID 1 under svn2) with admin rights without being prompted for a login or password. Partial workaround is to manually change the user ID's between the installs in the database backend, making sure there are no duplicate ID's between the two databases. This fixes the user account issue, but the admin rights from svn1 are still in affect under svn2.

The only method found to fully eliminate this issue is to have the installs on different TDL's, either via physical machines or virtual hosts. This behavior is not seen in other svn access manager projects I have checked (USVN, svn-access-manager).

Discussion

  • Marijn Verkerk

    Marijn Verkerk - 2009-12-09
    • status: open --> open-fixed
     
  • Marijn Verkerk

    Marijn Verkerk - 2009-12-09

    Hi there!

    I guess I can't sell this to you a a feature? :)

    Anyway, I haven't looked at the solutions of other web apps, but the problem can be solved by specifying a specific session save path for each installation of svnmanager. If a php program starts storing session data, this stuff is saved in a specified location, the save path. This path can be specified on several locations, starting at the php.ini to commands directly in php.

    For svnmanager, do the following steps:

    a. create a folder inside the svnmanager folder, named 'session' and make sure this folder is writable by the user that runs apache (e.g. www-data)
    b. edit each svnmanager/application.spec :

    search the line with <session enabled="true" /> and add:
    save-path="/the/location/to/the/created/session/folder" , e.g. :
    <session enabled="true" save-path="/srv/www/svnmanager/svnmanager/session" />

    I hope this will work for you!

    Kind regards,
    Marijn

     
  • Marijn Verkerk

    Marijn Verkerk - 2009-12-09
    • status: open-fixed --> open-later
     

Log in to post a comment.