0006097: user ID is cached indefinately - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0006097	mantisbt	security	public	2005-08-08 20:32	2005-09-11 08:12

Reporter	mspears	Assigned To	thraxisp
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	1.0.0rc1
Fixed in Version	1.0.0rc2

Summary	0006097: user ID is cached indefinately
Description	Whenever you run the CVS checkin script, the user always shows up as anonymous (if anonymous logins are allowed). This problem exists because the $g_cache_current_user_id variable is global and never resets to NULL upon successful authentication. In authentication_api.php, the function auth_get_current_user_id() defines `global $g_cache_current_user_id; if ( null !== $g_cache_current_user_id ) { return $g_cache_current_user_id; }` This creates an indefinite user ID cache that never gets purged. So, whomever calls this function first wins.
Additional Information	For our purposes, we added code to reset the cached user ID upon successful authentication like `function auth_attempt_script_login( $p_username, $p_password = null ) { global $g_cache_current_user_id; ... # ok, we're good to login now $g_cache_current_user_id = NULL; return true; }` This fixed the anonymous CVS user problem. However, I'm sure there are other places where authentication may occur which also needs to reset the cached user ID.
Tags	No tags attached.

thraxisp 2005-08-10 12:24 reporter ~0011142	The $g_cache_current_user_id variable should persist through the run of the program. It serves to reduce the number of database queries. You are correct, however, that it should be cleared, or properly set when the script login happens. I also noted that the user cookie evaluation may be wrong in some cases. Fixed in CVS. core/authentication_api.php -> 1.53