invalidating every continuation by hand is asking for problems hard to find.Leszek Gawron wrote:
Sylvain Wallez wrote:
Leszek Gawron wrote:
Sylvain Wallez wrote:
This has already been identified by Leszek Gawron. Although this is an issue, it can only be exploited by hijacking a continuation ID which, if done, also means the ability to hijack the session ID and therefore the associated authorizations.
Exactly.
1. You login. 2. Do stuff. 3. Logout.
Did you forgot to invalidate continuations? Your fault. (1)
For web application which requires session it is very convenient to invalidate all continuations when continuation holder is unbound from session (session invalidated).
I left some comments already in the bug report.
Thank you .. I have made a comment also. Please read it if you have time.
-- Leszek Gawron [EMAIL PROTECTED] Project Manager MobileBox sp. z o.o. +48 (61) 855 06 67 http://www.mobilebox.pl mobile: +48 (501) 720 812 fax: +48 (61) 853 29 65
