Asserted as another user!

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Login to Drupal with acct1
2. Go to /user/acct2 (view the user profile, etc)
3. Initiate a drupalauth-based SAML login to your Service Provider
4. You will be logged in NOT as the currently authenticated session, but as the 
user you viewed.

We are using 7.x-1.0.

It looks like this is the responsible piece of code:
// implements hook_user_view()
function drupalauth4ssp_user_view($account, $view_mode, $langcode) {
  _drupalauth4ssp_exec($account);
}

Commenting this out fixed the issue for us.  

What reason could there be for setting the user cookie on user view?!

Wouldn't it be much safer just to rely on the native SESS* cookie, that already 
relates to the authenticated user session?

Original issue reported on code.google.com by bjohn...@novologic.com on 13 Dec 2013 at 5:47

[GoogleCodeExporter]

I just pushed a patch that fixes this issue (and another one I found).  See the 
patch in issue 14.

Original comment by justin.cherniak@gmail.com on 22 Dec 2013 at 4:37

[GoogleCodeExporter]

This is pretty serious security issue and I see it's not patched yet.

Original comment by nexor1...@gmail.com on 7 May 2014 at 10:09