[RADIATOR] SessionDatabase SQL

Eddie Stassen estassen at gmail.com
Wed Apr 13 04:27:04 CDT 2011


Hi,

Could someone please explain the rationale behind calling DeleteQuery
on the session database when an authentication packet is received?  It
makes no sense to me since the mere reception of an
Authentication-Request is no indication that a session has ended.  It
also means it is potentially very easy for users to bypass
simultaneous login limitations by simply making a faking a second PPP
session with a bad password (or spoofing an Authentication-Request),
which will cause their existing radonline entry to be deleted and
allow the account to be used from anywhere else.

Is there any way to disable this behaviour without hacking the code?

Eddie


More information about the radiator mailing list