[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security fix that started all this



Was the switch to using server side sessions in the security fix really
wanted or was it just the easy way to fix the problem?

I have a path I did as a proof of concept for Dieter that uses server
side secrets and Digest::MD5 (could easily be changed to Digest::SHA1)
that doesn't even require cookies. It sticks a digest and expiry time
into the sessionid form variable.

If the plan is to actually use server side sessions to store data in the
future then by all means let's refine what we have now. But I just want
to ask the question: Do we really want server side per session storage
or was it just the way that seemed easiest to solve the problem at hand?

It looks like Dieter is going his own way with patching SQL Ledger so I
guess my patch is up for grabs. He sent me another pre-release test
version of 2.6.18 this morning, I'm not real happy with what I'm seeing.

-- 
Tony Fraser
..hidden..
Sybaspace Internet Solutions                        System Administrator
phone: (250) 246-5368                                fax: (250) 246-5398