15
OK, I emptied the xoops_sessions table, with no joy. If I login, a new session is created in the xoops_sessions table that is linked to my ip address.
A friend then clicks the link and bingo, he's in, but the sessions table doesn't update -- stays the same including my IP address the only one listed. He then logs out, and attempts to login with his own account, not using the hack -- my session is removed from the table and one is opened with his IP address.
This behaviour is beyond me.
I'm assuming that I may have to revert back to getting rid of the "remember me" hack, but I don't know if that is going to solve the problem (I seem to recall a similar problem before, but I might have sequences wrong in my recall).
What worries me is that this vulnerability seems to be oblivious of the actual php/html of the pages served -- it gains access by going directly to the database. Do you think if I replace all my php files I will clear out the "Remember Me" hack and thus close the hole? I am trying to get hold of the developer that set it up for me, as the only choice I have is to get rid of the hack and restore my site to not being vulnerable, or move to a different CMS. Which I don't want to do as I love xoops.
Anyway, some comments on removing the remember me hack would be much appreciated.