DriveThruRPG.com Security issue.

[Cergorach]

Putting on my professional programmer hat....

Um, no, RPGNow's problem is a different (easily understood) problem since C Blaze claims he typed the url in and hit enter. That means it isn't a PHP session error, it is something else.

And thus I would say it is unfortunate that the bug is hard to duplicate because that means it will be hard to prove that it is fixed.

... hat off.

Similar != Same

if (problem == userlogin) {
Similar
} else {
OtherProblem
}

They might not have the same technical problem, but they have a similar functional problem.

 

[jmucchiello]

They might not have the same technical problem, but they have a similar functional problem.

Granted. But the PHPSESSION bug is easy to understand. A typed URL logging you in as someone else sounds more severe.

 

[jmucchiello]

jmucchiello, dude... When in doubt, C&P. It's Baize, man... as cool as it would be to be "Mr. Blaze" ... I'll leave that to Johnny.
Baize.

What doubt? I'm mildly dyslexic. It took me 3-4 reads of this message to understand what I'd done wrong.

No blood, no foul. Peace.

 

[reanjr]

That can happen if you bookmarked or followed a link into the site that had the PHP SESSION ID = part of the url. It forces you to use a specific session ID that might be used by someone else. Remove the &PHPSESSID= or whatever part from your bookmark or notify any webmaster to do the same and the issue will not happen.

But that's no guarentee. We had the same issues at RPGNow for a while till we upgraded and changes some internal settings to prevent that.

James

Man, that would be a rare occurance. The only really good workaround that I know of is to require cookies. But then, some people don't like cookies...

Don't know why. I like cookies. Except for oatmeal ones.

What did RPGNow do to prevent this issue?