PacketFence - BTS - PacketFence
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0000761PacketFencecorepublic2009-08-11 09:262012-02-29 10:58
Reporterobilodeau 
Assigned Toobilodeau 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version 
Target VersionFixed in Version 
fixed in git revision
fixed in mtn revision
Summary0000761: Registration credentials stored in session allow user to re-register without entering username / password
DescriptionAffects local auth module.


Steps to reproduce:

1. Connect to a packetfence managed switch with an unregistered device
2. Register using local auth (username / password in web captive portal)
3. De-register the node using web interface or SQL query
4. Re-open captive portal page, when you click to register you get registered right away without inputing user / pass.

Its most likely a session issue, the credentials should be wiped from the session.

Need to test:
- Is the session persistent or not? If I close the browser, do I need to enter user/pass again to re-register, if so this bug is not really important since it'll mostly happen during devel/testing.
Steps To Reproduce
Additional Information
TagsNo tags attached.
Relationships
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2009-08-11 09:26obilodeauNew Issue
2009-08-19 15:55obilodeauStatusnew => assigned
2009-08-19 15:55obilodeauAssigned To => obilodeau
2009-12-10 10:35obilodeauNote Added: 0001438
2009-12-10 11:21obilodeauNote Added: 0001439
2009-12-10 11:38obilodeauNote Added: 0001440
2009-12-10 11:38obilodeauStatusassigned => resolved
2009-12-10 11:38obilodeauResolutionopen => fixed
2009-12-10 11:40obilodeauNote Added: 0001441
2011-01-26 15:43obilodeauStatusresolved => closed
2011-06-17 17:24obilodeauRelationship addedrelated to 0001227
2011-06-17 17:24obilodeauRelationship deletedrelated to 0001227
2012-02-29 10:58obilodeauCategoryfuture => core

Notes
(0001438)
obilodeau   
2009-12-10 10:35   
The session is not persistent so closing / re-opening the browser seems to remove stored credentials but its still pissing off Regis enough that he wrote a little patch:

--- web.pm.old	2009-12-08 14:20:47.000000000 -0800
+++ web.pm	2009-12-08 14:22:20.000000000 -0800
@@ -484,9 +484,9 @@
 
     my ( $cgi, $session ) = @_;
     my $logger = Log::Log4perl::get_logger('pf::web');
-    if ( $session->param("login") ) {
-        return ( 1, 0 );    # if logged in, don't bother going further
-    }
+#    if ( $session->param("login") ) {
+#        return ( 1, 0 );    # if logged in, don't bother going further
+#    }
     if (   $cgi->param("login")
         && $cgi->param("password")
         && $cgi->param("auth") )


I'll now investigate if this was a real "feature" or if its just something that was done like that for no reason. If its the latter, then I'll apply the patch to mtn.
(0001439)
obilodeau   
2009-12-10 11:21   
Was introduced before monotone history.

Read the code and aside from having to re-login when viewing status page or to deregister, I see no change from current behavior.

Searched mailing list archive without any findings related to that behavior.

I'll consider this a bug and fix it.
(0001440)
obilodeau   
2009-12-10 11:38   
fixed in 1.8 branch at montone rev: 7a8b920c5ac95d7b830c45af80832f0b358744e3
will be ported to 1.9 branch
(0001441)
obilodeau   
2009-12-10 11:40   
Reminder sent to: rbalzard

Fix applied to prevent the annoying automatic re-registration.