...
BugZero found this defect 2604 days ago.
Resolution: When the localhost bypass is in effect, the server ignores "lsid" in all commands and neither requires auth nor creates a session. Original report: Question for samantha.ritter or jason.carey. Current Drivers Session Spec says all commands include "lsid" if the server supports sessions, with the exceptions of auth commands and ismaster. So "createUser" should include "lsid". However, if the server is started with auth and it has no users, a driver might want to connect without authenticating and issue "createUser". For example, PyMongo's tests detect if the server has started with auth and has no user. If the initial "createUser" command is issued with "lsid", the server responds with error code 13, "there are no users authenticated". What should we do?: createUser with "lsid" is permitted if there are no users created yet, but the server ignores "lsid" (creates no server session) The Drivers Session Spec says that createUser omits "lsid" iff the application doesn't explicitly pass a ClientSession object and the connection isn't authenticated cc rstam. Also I'm curious what emily.stolfo has done to test the Ruby driver. Did you need to work around this?
xgen-internal-githook commented on Wed, 27 Sep 2017 15:27:12 +0000: Author: {'email': 'jcarey@argv.me', 'name': 'Jason Carey', 'username': 'hanumantmk'} Message: SERVER-31116 localhost bypass for sessions Change the behavior or logical session use so that passing a lsid when the localhost bypass is enabled causes the session id to be ignored. This eases the burden on drivers from having to identify that initial createUser command and avoid passing a lsid. Branch: master https://github.com/mongodb/mongo/commit/a1a12aa3422fa0ff7c169c2d58a879e5a402fac9