[ic] Patch: Remove REMOTE_USER From Session Name

[Jon Jensen]

On Sun, 5 Apr 2020, Mike Heins wrote:

> Certainly could put
>
> if($Pragma->{session_remote_user} and defined $CGI::user and $CGI::user) {
>        $host = escape_chars($CGI::user);
>    }
>    elsif($Pragma->{session_remote_user} and $CGI::cookieuser) {
>        $host = $CGI::cookieuser;
>    }
>    elsif($CGI::cookiehost) {
>        $host = $CGI::cookiehost;
>    }
>
> and allow for any users where this would break them. Though I doubt there
> would be any.

I like that idea if anyone reports breakage, but since 
"session_remote_user" isn't an existing pragma, someone who needs it 
probably wouldn't notice it in our release notes and wouldn't use it, so 
would get breakage anyway. 😊 Might as well just wait till that happens 
and add it then, and avoid supporting a likely unused feature.

The only purpose of this behavior that I can think of is that users 
authenticated with HTTP basic auth can move between IP addresses *and* 
without a cookie, and not lose their session. Anyone know otherwise?

Maybe the biggest question is when the last time was that anyone used HTTP 
basic auth for user authentication at all, much less depended on the 
session sticking without cookies ...

Jon


-- 
Jon Jensen
End Point Corporation
https://www.endpoint.com/