Relationship Graph View Issue Dependency Graph
related to child of duplicate of

View Issue Details

IDProjectCategoryView StatusLast Update
0015029phpList 3 applicationAuthentication Systempublic02-10-18 20:06
Status resolvedResolutionfixed 
Product Version2.10.5 
Target VersionFixed in Version2.11.8 
Summary0015029: Identical Cookies allow login to multiple installations
DescriptionI have two installations of PHPList on the same domain. The first installation is in a sub-directory of the root called "lists" and the second is in a sub-directory called "subscribe".

Each installation uses its own database.

Each installation has different log on details for the admin.

I have tried to log in to each installation using the other's username and password and I cannot log in.

However, once I am logged in, I can substitute the word "lists" for "subscribe" in the URL and get in to the other installation.

As the login is stored in a cookie on my browser, I suspect that this is were the problem is. In fact, I cleared out all cookies then logged in to the first installation - then I opened another browser window to access the second installation. Monitoring the cookies I see that there is only one. When I delete this cookie, I am logged out of both installations.

The serious problem is that logging in to one installation should not give access to the second installation.

The cookie name is PHPSESSID (the default session name)

Should the cookie prefix be determined in the configuration file?
TagsNo tags attached.



11-06-08 15:56

manager   ~0049399

Antonimo's findings seem to point to a session ID related security issue that might occur when having multiple installs and multiple admins.

I have therefor asked Antonimo to file this mantis report because I think this should be looked into by the developers.

See also:


11-06-08 16:06


You are right,H2B2.


03-04-09 13:44

reporter   ~0050613

I think that storing $installation_name as a session variable, comparing that with the local $installation_name variable in the access check script then logging the user out if they don't match would fix this.


06-04-09 05:20

manager   ~0050617

For more info, see


29-10-09 02:54

manager   ~0050759

For those looking for a workaround solution, you can store administrator sessions in a database table by uncommenting the following setting in config.php:
   $SessionTableName = "phplistsessions";



01-11-12 17:41

manager   ~0051834

revision 3396