In class Session (from file web/system/libraries/Session.php) the method checkPasswordCgiAuth should return false (eg. no authenticated) when getting error from accessing cgi_auth.cgi URL.
In current implementation, when cgi_auth.cgi URL is not set (or wrong set) any user is successfully authenticated and marked as embedded (that means that at next syncUsers function call this user will be deleted).
In class Session (from file web/system/libraries/Session.php) the method checkPasswordCgiAuth should return false (eg. no authenticated) when getting error from accessing cgi_auth.cgi URL.
After line
should insert
In current implementation, when cgi_auth.cgi URL is not set (or wrong set) any user is successfully authenticated and marked as embedded (that means that at next syncUsers function call this user will be deleted).