Hi Gustaf,
I thought of stepping in to help out.
From what I can see its probably the following patch you are referring to:
Index: openacs-4/packages/acs-tcl/tcl/security-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/security-procs.tcl,v
diff -u -N -r1.74.2.10 -r1.74.2.11
--- openacs-4/packages/acs-tcl/tcl/security-procs.tcl 14 Feb 2014 19:38:26 -0000 1.74.2.10
+++ openacs-4/packages/acs-tcl/tcl/security-procs.tcl 25 Jul 2014 23:33:11 -0000 1.74.2.11
@@ -419,6 +419,12 @@
# the empty string
set prev_user_id [ad_conn user_id]
+ #
+ # Change the session id for all user_id changes, also on
+ # changes from user_id 0, since owasp recommends to renew the
+ # session_id after any privilege level change
+ #
+ #if { $prev_user_id != 0 && $prev_user_id != $new_user_id }
if { $prev_user_id != 0 && $prev_user_id != $new_user_id } {
# this is a change in identity so we should create
# a new session so session-level data is not shared
Can you please review? Seems that logic did not change.
Thanks!