Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-3728

GSSAPI auth commands must not use implicit sessions

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 1.18.0, 1.17.3, 1.18.0-alpha
    • Affects Version/s: None
    • Component/s: None

      Authentication commands must not append a session ID per the driver session spec.

      CDRIVER-2449 discovered that most auth commands were including the session ID unintentionally. The resolution was to set prohibit_lsid=true in the mongoc_cmd_parts_t used to construct the command. For example, in _mongoc_cluster_auth_node_cr:

         mongoc_cmd_parts_init (
            &parts, cluster->client, auth_source, MONGOC_QUERY_SLAVE_OK, &command);
         parts.prohibit_lsid = true;
      

      However, _mongoc_cluster_auth_node_cyrus and _mongoc_cluster_auth_node_sspi do not set prohibit_lsid. I believe they may still be appending a session ID unintentionally.

            Assignee:
            Unassigned Unassigned
            Reporter:
            kevin.albertson@mongodb.com Kevin Albertson
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: