**This is the bug tracker for the AUR web interface.**
Use this tracker to report bugs or make feature requests regarding the behaviour or implementation of the AUR software.
Please read the Reporting Bug Guidelines before filing a new task.
https://wiki.archlinux.org/title/Bug_reporting_guidelines
- Please report bugs related to Arch Linux official packages here: http://bugs.archlinux.org/index.php?project=1
- Please report bugs for [community] packages here: http://bugs.archlinux.org/index.php?project=5
- For any packages in the AUR contact the maintainer or leave a comment on the package's detail page.
Source Code:
https://gitlab.archlinux.org/archlinux/aurweb/
Use this tracker to report bugs or make feature requests regarding the behaviour or implementation of the AUR software.
Please read the Reporting Bug Guidelines before filing a new task.
https://wiki.archlinux.org/title/Bug_reporting_guidelines
- Please report bugs related to Arch Linux official packages here: http://bugs.archlinux.org/index.php?project=1
- Please report bugs for [community] packages here: http://bugs.archlinux.org/index.php?project=5
- For any packages in the AUR contact the maintainer or leave a comment on the package's detail page.
Source Code:
https://gitlab.archlinux.org/archlinux/aurweb/
FS#12898 - Some aur tools might create multiple sessions.
Attached to Project:
AUR web interface
Opened by Loui Chang (louipc) - Friday, 23 January 2009, 06:24 GMT
Last edited by Lukas Fleischer (lfleischer) - Wednesday, 09 March 2011, 17:14 GMT
Opened by Loui Chang (louipc) - Friday, 23 January 2009, 06:24 GMT
Last edited by Lukas Fleischer (lfleischer) - Wednesday, 09 March 2011, 17:14 GMT
|
DetailsI noticed a user with five sessions on AUR.
He was using yaourt to vote for packages. |
This task depends upon
Closed by Lukas Fleischer (lfleischer)
Wednesday, 09 March 2011, 17:14 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed in 1.8.1.
Wednesday, 09 March 2011, 17:14 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed in 1.8.1.
1. If there are already say two sessions, and a third one is attempted
we can destroy the two old ones and acknowledge a third new one.
2. We can deny more than two, or maybe three sessions to encourage
clients to properly log out, or save their cookies.
This method could create an issue if the session is a 'remembered' session.
So we should only deny if there are more than two 'non remembered' sessions.
attack vector. It's possible that the database could be overloaded with sessions long before the
login timeout. I haven't really tried it though.
A proposed solution would be to set a max_sessions_per_user parameter.
Drop all sessions if max_sessions_per_user is exceeded.
Heh. They're also not configurable from config.inc.
That should be changed.
Would it be wrong to ask/expect such a user to reuse some sessions?
[1] http://projects.archlinux.org/aur.git/commit/?id=f961ffd9c7f2d3d51d3e3b060990a4fef9e56c1b