<div dir="ltr"><a href="http://code.vtiger.com/vtiger/vtigercrm/issues/56#note_406">Session cookie path needs tuning</a>.</div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr">--</div><div dir="ltr"><span style="border-collapse:collapse;font-family:arial,sans-serif;font-size:13px"><a href="http://www.facebook.com/vtiger" style="color:rgb(0,0,204)" target="_blank">FB</a> I </span><a href="http://twitter.com/vtigercrm" style="color:rgb(0,0,204)" target="_blank">Twit</a> I <a href="https://www.linkedin.com/company/1270573?trk=tyah" style="color:rgb(0,0,204)" target="_blank">LIn</a> I <a href="https://blogs.vtiger.com" style="color:rgb(0,0,204)" target="_blank">Blog</a> I <a href="https://www.vtiger.com/" style="color:rgb(0,0,204)" target="_blank">Website</a></div></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Wed, Jan 13, 2016 at 8:30 PM, Manu urs <span dir="ltr"><<a href="mailto:manu.k@vtiger.com" target="_blank">manu.k@vtiger.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div>Thanks Alan for notifying, We will check and get back to you.<br><br><a href="http://code.vtiger.com/vtiger/vtigercrm/issues/56" target="_blank">http://code.vtiger.com/vtiger/vtigercrm/issues/56</a><br><br></div>Regards,<br></div>Manu Urs<br></div><div class="gmail_extra"><div><div class="h5"><br><div class="gmail_quote">On Wed, Jan 13, 2016 at 7:45 PM, Alan Bell <span dir="ltr"><<a href="mailto:alan.bell@libertus.co.uk" target="_blank">alan.bell@libertus.co.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi<br>
<br>
if you have multiple vtigers on one host then they all share the same scope for the PHP session, which means if you have two vtigers configured like this:<br>
<br>
<a href="http://host/foo/index.php" rel="noreferrer" target="_blank">http://host/foo/index.php</a><br>
username=admin, uid=1, password="foo"<br>
<br>
<a href="http://host/bar/index.php" rel="noreferrer" target="_blank">http://host/bar/index.php</a><br>
username=admin, uid=1, password="bar"<br>
<br>
you can log in to foo, then switch your browser URL to go into the vtiger called bar and you will be logged in with admin access without knowing the password for that system. Works for any matching userid, but we know that the admin user always matches so it is easy to demonstrate with that.<br>
<br>
This is because the includes/main/WebUI.php doesn't check the session application unique id, so it doesn't validate that the session is for the current vtiger<br>
line 39 of includes/main/WebUI.php should be something like:<br>
if ($userid && vglobal('application_unique_key')==$_SESSION['app_unique_key']) {<br>
<br>
if some kind of single sign on between multiple instances is actually the desired behavior then make the application unique id in the config.inc.php match in both systems.<br>
<br>
Alan.<br>
_______________________________________________<br>
<a href="http://www.vtiger.com/" rel="noreferrer" target="_blank">http://www.vtiger.com/</a><br>
</blockquote></div><br><br clear="all"><br></div></div><span class="HOEnZb"><font color="#888888">-- <br><div><div dir="ltr"><div>Regards,<br></div>Manu<br></div></div>
</font></span></div>
<br>_______________________________________________<br>
<a href="http://www.vtiger.com/" rel="noreferrer" target="_blank">http://www.vtiger.com/</a><br></blockquote></div><br></div>