Details
-
Bug
-
Resolution: Unresolved
-
High
-
None
-
4.7.0
-
Any
Description
ezpSessionHandlerDB->read() fails by returning false (if, for example, no session is found in the database or if multiple matches are returned), but the return value is never checked. This seems to effectively be a silent failure, and problems can precipitate as a result.
For instance, for DB sessions with a custom SSO Handler, if a user's session_key is missing from the database, the user will be put in a redirect loop (from eZUser::instance() SSO User redirect).
Instead, failed read should throw exception or generate error or trigger session regeneration, or something that indicates a problem.