[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
SF.net SVN: ledger-smb: [646] branches/1.2/doc/release_notes
- Subject: SF.net SVN: ledger-smb: [646] branches/1.2/doc/release_notes
- From: ..hidden..
- Date: Thu, 16 Nov 2006 18:39:05 -0800
Revision: 646
http://svn.sourceforge.net/ledger-smb/?rev=646&view=rev
Author: einhverfr
Date: 2006-11-16 18:39:01 -0800 (Thu, 16 Nov 2006)
Log Message:
-----------
Updated release notes
Modified Paths:
--------------
branches/1.2/doc/release_notes
Modified: branches/1.2/doc/release_notes
===================================================================
--- branches/1.2/doc/release_notes 2006-11-16 23:10:22 UTC (rev 645)
+++ branches/1.2/doc/release_notes 2006-11-17 02:39:01 UTC (rev 646)
@@ -104,17 +104,20 @@
are restricted to alphanumeric characters and the symbols ., @, and -.
4.2: Session handling
-SQL-Ledger as of 2.6.17 uses session tokens for authentication. These tokens
+SQL-Ledger as of 2.6.17 used session tokens for authentication. These tokens
are based on the current timestamp and therefore insecure. Furthermore, these
tokens are not tracked on the server, so one can easily forge credentials for
-either the main application or the administrative interface.
+either the main application or the administrative interface. While this was
+corrected in 2.6.18, the solutions chosen by SQL-Ledger (caching the crypted
+password by the browser) is not in line with commonly accepted best security
+practices.
LedgerSMB stores the sessions in the database. These are generated as md5 sums
of random numbers and are believed to be reasonably secure. The sessions time
-out after a period of inactivity. As of the initial release both
-SQL-Ledger-style session ID's and the newer version are required to access the
-application. In future versions, the SQL-Ledger style session ID's will
-probably be removed.
+out after a period of inactivity. In the initial release both
+SQL-Ledger-style session ID's and the newer version were required to access the
+application. In newer versions, the SQL-Ledger style session ID's have been
+removed.
4.3: Database Changes
Under certain circumstances where the Chart of Accounts is improperly modified,
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.