If a user who is currently logged in to WebMods is deleted, his CWebSession
still kept a stale CUser pointer around. The next time he loaded a web page,
Bad Things(tm) happened.
This is fixed by deleting all of a user's sessions when that user is deleted.
Thanks to DarthGandalf for spotting the bug and writing the patch.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1827 726aef4b-f618-498e-8847-2d620e286838
When a CWebSock was destroyed before its CWebAuth, the CWebAuth dereferenced a
stale pointer once it was used again. Fix this by calling
CAuthBase::Invalidate() appropriately.
Thanks to DarthGandalf for finding this.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1826 726aef4b-f618-498e-8847-2d620e286838
We now use a lot more data for generating the session id which is fed to a hash
to make it impossible to attack specific parts of the input.
Also we now retry generating a new session id in the (improbable) case of
collision with an existing session id.
Thanks a lot to cnu for pointing out the weakness in the old code by stealing my
session cookie, you evil hacker!
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1819 726aef4b-f618-498e-8847-2d620e286838
psychon