[Mono-bugs] [Bug 78281][Maj] New - timeout and expire fields in SessionSQLServerHandler

bugzilla-daemon at bugzilla.ximian.com bugzilla-daemon at bugzilla.ximian.com
Thu May 4 04:41:46 EDT 2006 

Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.

Changed by babal at via.ecp.fr.

http://bugzilla.ximian.com/show_bug.cgi?id=78281

--- shadow/78281	2006-05-04 04:41:46.000000000 -0400
+++ shadow/78281.tmp.8289	2006-05-04 04:41:46.000000000 -0400
@@ -0,0 +1,50 @@
+Bug#: 78281
+Product: Mono: Class Libraries
+Version: 1.1
+OS: All
+OS Details: 
+Status: NEW   
+Resolution: 
+Severity: 
+Priority: Major
+Component: Sys.Web
+AssignedTo: gonzalo at ximian.com                            
+ReportedBy: babal at via.ecp.fr               
+QAContact: mono-bugs at ximian.com
+TargetMilestone: ---
+URL: 
+Cc: 
+Summary: timeout and expire fields in SessionSQLServerHandler
+
+Hi everyone,
+
+  It seems that SessionSQLServerHandler (namespace
+System.Web.SessionState) doesn't correctly set nor retrieve the "expires"
+and "timeout" data fields in the database. Amongst other things, this
+prevents sessions to ever expire (this has serious security implications,
+which is why I proposed "Major" as a priority for this bug).
+
+  More precisely, I am about to attach a patch for version 1.1.15 which
+should correct the following issues:
+- in method "UpdateContext": delete expired sessions even before
+  checking that a particular session exists
+- in method "SelectSession": retrieve the value of "timeout" which
+  has been previously stored in the database instead of returning a
+  hardcoded value (100)
+- in method "InsertSession": set current time + timeout as the value
+  for "expires" instead of always current time + one day
+- in method "UpdateSession": update the "timeout" field (in case the user
+  changed it programmatically) and update the "expires" field accordingly
+- in methods "InsertSession" and "UpdateSession" : use the keyword
+  "NOW()" instead of supplying a numerical value for dates; this makes
+  the database server the only one to actually manipulate dates, which
+  avoids any potential clock synchronisation problems between the web
+  server(s) and the database server
+
+Nb: I'm not too sure about which type the data field "timeout" should be.
+    In this patch I assumed it was "decimal".
+
+  Hope this helps.
+
+-- 
+Boris Dores

More information about the mono-bugs mailing list