Security issue with multiple CMSMS installs on same vhost

[lampsie]

Hi,

I have two CMSMS sites installed on our vhost:

1. Located at /
2. Located at extranet/demo

If i log into the admin section of extranet/demo, and then browse to the first installation at /, I am able to get into admin section straight away without logging in. Has anyone else experienced this, and if so is there any workaround?

Thanks,
Aengus

[tsw]

session is attached to the domain, if you have same username on both installations it will do as you described.

different usernames for extranet would fix this for now.

I think we should add a way to do this correctly tho...

ps. thanks for the reminder, this has come up before also, but we've forgotten it

pps. could you add a bug and or feature request into core tracker so this wont get buried in the forum, thanks.

and what do people think, would it be good to have some way to either enable this behavior or disable it? I myself can see this as a negative and positive feature...

[Dr.CSS]

I thought it was a nice feature as it lets me go from one install to the other just by going to 'Main' and then change the URL in the add. bar to switch to another site to get something or work on it, sometimes it makes me login when I hit a menu item... of course I use the same login name/password on all of them...

[superdataman]

I agree that it would be good to have the choice to turn it on or off. I can see myself using it both ways depending on my Web host configuration.

[Dee]

Has anyone else experienced this, and if so is there any workaround?

In include.php changing the session id from CMSSESSID to a unique value in this code (line 37) might solve it (depending on server settings):

Code: Select all

@session_name('CMSSESSID');