-
Type: Bug
-
Resolution: Fixed
-
Priority: Major - P3
-
Affects Version/s: None
-
Component/s: None
Authentication commands must not append a session ID per the driver session spec.
CDRIVER-2449 discovered that most auth commands were including the session ID unintentionally. The resolution was to set prohibit_lsid=true in the mongoc_cmd_parts_t used to construct the command. For example, in _mongoc_cluster_auth_node_cr:
mongoc_cmd_parts_init ( &parts, cluster->client, auth_source, MONGOC_QUERY_SLAVE_OK, &command); parts.prohibit_lsid = true;
However, _mongoc_cluster_auth_node_cyrus and _mongoc_cluster_auth_node_sspi do not set prohibit_lsid. I believe they may still be appending a session ID unintentionally.
- is related to
-
CDRIVER-2449 Session ID is included in authenticate command
- Closed