17955: newtest/Y in URL is not clearing session - LimeSurvey bugs and feature requests

This bug affects 1 person(s).

ID	Project	Category	View Status	Date Submitted	Last Update

17955	Bug reports	Survey taking	public	2022-03-14 17:56	2022-04-26 09:42

Reporter	segui	Assigned To	DenisChenu
Priority	urgent	Severity	partial_block
Status	closed	Resolution	fixed
Product Version	5.x

Summary	17955: newtest/Y in URL is not clearing session
Description	Background: I have a close survey that is going to be filled using the same computer. The survey is anonymous and participants are given a token that they have to input at the beginning of the survey. Participants should be able to save midway, come back at a later time, enter their token and land on the survey screen where they left. If participant A closes the browser midway and leaves, and participant B comes to the same computer, the survey link should take participant B to the screen asking for the token. Participants can only participate once, and their tokens are set with only one use allowed. My survey has these settings: Set cookie to prevent repeated participation = OFF Participant may save and resume later = ON Enable participant-based response persistence = ON Allow multiple responses or update responses with one access code = OFF Problem: When a participant stops taking the survey midway, pointing the browser to the survey URL with "/newtest/Y" added to it doesn't clear the session, which is needed for a different participant to start taking the survey from the token input screen.
Steps To Reproduce	Steps to reproduce Create a close survey with 1-use-only tokens Survey settings as in the description. Activate survey. Go to survey URL https://domainname/limesurvey/index.php/123456/lang/en/newtest/Y Enter valid token and start taking survey Save midway and close browser Open browser and point it to https://domainname/limesurvey/index.php/123456/lang/en/newtest/Y Expected result Browser session gets cleared and browser shows screen asking for token. Actual result Session is not cleared and browser lands on the screen where previous participant left.
Tags	No tags attached.

Bug heat	22
Complete LimeSurvey version number (& build)	5.3.4+220309
I will donate to the project if issue is resolved	No
Browser	Google Chrome 99.0.4844.51 (Official Build) (x86_64) , Firefox 98.0 (64-bit)
Database type & version	mysql Ver 15.1 Distrib 10.5.11-MariaDB, for Linux (x86_64)
Server OS (if known)	Red Hat Enterprise Linux Server release 7.9
Webserver software & version (if known)	Apache 2.4
PHP Version	7.2

User List	galads, segui

DenisChenu 2022-03-14 18:04 developer ~68671	Confirm the issue, security issue here.

DenisChenu 2022-03-14 18:36 developer ~68672	5.X : https://github.com/LimeSurvey/LimeSurvey/pull/2295 3.X : https://github.com/LimeSurvey/LimeSurvey/pull/2294 Since : https://github.com/LimeSurvey/LimeSurvey/commit/231d02b55f4e5c11b62cdf2de206a99623520acd (my fault)

DenisChenu 2022-04-26 09:01 developer ~69234	Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=33432

DenisChenu 2022-04-26 09:04 developer ~69235	Fix committed to 3.x-LTS branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=33433

LimeBot 2022-04-26 09:42 administrator ~69239	Fixed in Release 3.28.8+220426

LimeSurvey: master 4aadb737 2022-04-26 11:01 DenisChenu Committer: GitHub Details Diff	Fixed issue 17955: newtest/Y in URL is not clearing session (#2295) Dev: move newtest check before all other action	Affected Issues 17955
	mod - application/controllers/survey/index.php	Diff File
LimeSurvey: 3.x-LTS 3a083cca 2022-04-26 11:02 DenisChenu Committer: GitHub Details Diff	Fixed issue 17955: newtest/Y in URL is not clearing session (#2294) Dev: move newtest check before all other action	Affected Issues 17955
	mod - application/controllers/survey/index.php	Diff File

Date Modified	Username	Field	Change
2022-03-14 17:56	segui	New Issue
2022-03-14 18:04	DenisChenu	Assigned To	=> DenisChenu
2022-03-14 18:04	DenisChenu	Status	new => assigned
2022-03-14 18:04	DenisChenu	Note Added: 68671
2022-03-14 18:04	DenisChenu	Bug heat	0 => 2
2022-03-14 18:05	DenisChenu	Priority	none => urgent
2022-03-14 18:36	DenisChenu	Status	assigned => ready for code review
2022-03-14 18:36	DenisChenu	Note Added: 68672
2022-03-14 18:36	DenisChenu	Assigned To	DenisChenu => galads
2022-03-15 08:28	galads	Zoho Project Synchronization	=> \|Yes\|
2022-03-15 08:29	galads	Relationship added	has duplicate 17954
2022-03-15 08:29	galads	Bug heat	2 => 8
2022-03-15 08:29	galads	Issue Monitored: segui
2022-03-15 08:29	galads	Bug heat	8 => 10
2022-03-15 08:29	galads	Relationship added	has duplicate 17953
2022-03-15 08:29	galads	Bug heat	10 => 18
2022-03-15 08:29	galads	Issue Monitored: galads
2022-03-15 08:29	galads	Bug heat	18 => 20
2022-04-26 09:01	DenisChenu	Changeset attached	=> LimeSurvey master 4aadb737
2022-04-26 09:01	DenisChenu	Note Added: 69234
2022-04-26 09:01	DenisChenu	Assigned To	galads => DenisChenu
2022-04-26 09:01	DenisChenu	Resolution	open => fixed
2022-04-26 09:04	DenisChenu	Changeset attached	=> LimeSurvey 3.x-LTS 3a083cca
2022-04-26 09:04	DenisChenu	Note Added: 69235
2022-04-26 09:42	LimeBot	Note Added: 69239
2022-04-26 09:42	LimeBot	Status	ready for code review => closed
2022-04-26 09:42	LimeBot	Bug heat	20 => 22

View Issue Details

Steps to reproduce

Expected result

Actual result

Relationships

Users monitoring this issue

Activities

Related Changesets

Issue History

has duplicate	17954	closed	galads	newtest/Y in URL is not clearing session
has duplicate	17953	closed	galads	newtest/Y in URL is not clearing session