REing a TCP sever. Successful auth is cached with time-based expiration. I suspect the intent was to a resume a session if the underlying TCP connection died due to an IP change.
So, the cache is keyed on a unique session id, right? No.
Entries are keyed on the socket fd and aren't expired on a connection close. If a new client happens to get the same fd before the cache entry expires, they bypass auth. If they attempt to provide new creds, they are ignored!
Ugh. Started assembling another computer today. Couldn't find thermal paste. Drove to Fry's to get some. Finish assembling everything. Won't boot.
Hour of futzing around. Discovered BMC shows POST codes and Supermicro publishes a list if them for this board. Wrong RAM! Seriously?!?
Building computers isn't nearly as fun as used to be.
Authentication bypass on and inauthentic firmware updates accepted by self-encrypting SSDs. That's as bad as it can be for storage device security. https://www.westerndigital.com/support/productsecurity/wdc-19006-sandisk-x600-sata-ssd