| David Costa 2004-08-18, 8:56 pm |
| Rui,
I spent the last 2 hours fixing the Auth_HTTP installation at my
employer server where we use it extensively for some professional
applications.
The combination
Auth 1.2.3 stable
Auth_HTTP 2.1.1 beta
Works fine as I did fixed the SessionSharing mess. Now, if you install
Auth_HTTP 2.1.2 we have a BC break and the user is asked to upgrade to
Auth 1.3.0r2.
Now, this is serious.
Auth_HTTP should have gone stable with 2.1.1. where I fixed the major
SessionSharing issue. Why? because now a user which has the default
stable as preferred status (
the great majority) will end up with the combination Auth 1.2.3 and
Auth_HTTP 2.0.
This combination expose the users of Auth_HTTP 2.0 to the major
Session Sharing bug and possible a security problem.
What's that ? if you have 2 protected areas on your site (separate
areas with different
realms, let' say an area called users and an area called
administrators) a user who gained access to the first realm will be
automatically logged on the second separate realm
regardless of his credentials. In fact he will not even be prompted for
a secondary log in.
To summarize, I don't understand how you released Auth_HTTP 2.1.2
requiring Auth 1.3.0r2. without
a) dropping me a line, after all I am lead on this package ;
b) breaking BC ( and obviously without testing. Every simple test will
reveal that 2.1.2 and 1.3.0r2 don't work with a previous Auth_HTTP
implementation).
2.1.1 should go stable and, even if 4 days elapsed, I would go to
pull/remove 2.1.2.
Suggestions from other QA members are very welcome,
Regards
David Costa
|