View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0019441||phpList 3 application||Authentication System||public||02-10-18 13:55||01-11-18 14:21|
|Product Version||3.3.4 - RC3|
|Summary||0019441: Open Login|
|Description||When there are more phplist instance on the same server, by logging on one of the instance you can enter without password in the others.|
|Steps To Reproduce||- open login page to one instance (example: http://server/install1/admin)|
- enter user name and password
- open another tab on the same browser
- open another instance (example: http://server/install2/admin)
install2 don't ask the password and it's possible to access to the admin area.
|Tags||No tags attached.|
Hmm, interesting. It would be good to verify this. It's quite possible it works when eg the logins are the same (username and password) as we store and verify the password hash in the session. Once the login details are different this should not work, but it will be good to check.
It can probably be resolved by setting a different cookie per installation. We should specifically set something like "phpList-[Installation]".
This issue or at least something very similar was raised in the past https://mantis.phplist.org/view.php?id=15029
Then the cause was identified to be using the same name for the session cookie in each installation, i.e PHPSESSID.
Using a unique session name for each installation should resolve this.
||Thanks for the reference Duncan.|
Due to the way PHP sessions work, a valid session for application A can also be used for application B. PHP has no way to determine the scope of a session automatically.
Changing the session name won't resolve this because you can edit the cookie name of the instance A in the browser to be equal to the one of instance B and you would still be logged in.
If you run multiple PHP apps, it would be recommended to set a custom session save path per application to avoid conflicts.
That said, I will look into hardening this further.