Regenerate session when duplicate Openemr's tab

Amiel · November 13, 2017, 10:00am

Hi.

I’ve found strange behavior of the system. When you duplicate a tab in the browser, the session (and cookie) are regenerated with same data. So if you logout from first tab you are still connected in the second tab.
This is caused because of a ‘session_regenerate_id’ function in the top of main_screen.php file.
I haven’t found a similar behavior in other systems.
I think it can cause security problems because a logout command doesn’t delete all the open sessions.

Why does it work that way?

Thanks
Amiel

brady.miller · November 13, 2017, 10:26am

hi @amiel ,
This was done to support the ‘Open in New Window’ feature in the Patient List. So, when a tab is created, it is treated as a completely separate session (or else the patient_id and encounter_id and a bunch of other session stuff will clash and turn into a patient safety issue).
-brady

Amiel · November 14, 2017, 6:25am

O.k. makes sense.
Thanks.