On Fri, 8 Sep 2006, Thomas Bruederli wrote:
Martin Marques wrote:
Could be. It actually can happen when there are concurrent requests and
one of them gets a new cookie value. To prevent problems here, the "old"
cookie will still be accepted as well in revision 338.
Doesn't this reopen the security problem related to autentication cookie?
Only a little. You can authenticate the session with the current auth
cookie or with the last one. This helps, in case that two (almost)
concurrent requests are sent to the server but the "old" cookie will not
authenticate anymore 5 minutes later. We don't allow all "old" cookies
just the last one.
OK, but if the user hits 5 or 6 straight times the delete botton, then
there will be more then 2 concurrent conexions (especially with bad
network connections), which will make the third have problems with the
expiration of the coookie. Or am I totally wrong?
--
21:50:04 up 2 days, 9:07, 0 users, load average: 0.92, 0.37, 0.18
---------------------------------------------------------
Lic. Martín Marqués | SELECT 'mmarques' ||
Centro de Telemática | '@' || 'unl.edu.ar';
Universidad Nacional | DBA, Programador,
del Litoral | Administrador
---------------------------------------------------------
