Kiran Ayyagari (JIRA) wrote:
[
https://issues.apache.org/jira/browse/DIRSERVER-1651?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13094873#comment-13094873
]
Kiran Ayyagari commented on DIRSERVER-1651:
-------------------------------------------
This is still susceptible for spoofing unless cryptographically signed, IMHO
the solution is to encrypt the whole cookie
There is nothing to be gained from maliciously spoofing the cookie, since the
operation is part of a regular Search request. I.e., the client can only ever
retrieve any information that server authorizations would already allow the
client to see.
Indeed, slapd's -c option allows a sysadmin to set any cookie value at all;
this is intended to be used to force a consumer to re-pull data from an older
point in time, in case more recent data was lost/curropted/whatever.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
