Hello fellow developers, So as to preserve security of our users, we do one small thing: the user-name and password (and registration info) is submitted over https. All other communication is done over http.
This works well for someone connected normally to the internet. This works incorrectly for someone who is forced to use a proxy by its network conditions, e.g. hotels, wifi hotspots and mobile devices' provided networks. The reason it is the case, it the following MyPersistentLoginManager.checkValidation checks a "validation" cookie which computes a salted hash of the triple username, password, and IP. And in the cases above, the IPs are different, so the validation fails, the login is unsuccessful, the console says: > Login cookie validation hash mismatch! Cookies have been tampered with What our options? Is it true that removing IP in this validation would make the system weak as anyone stealing the cookie from another IP could become that user? Would it be as simple as finding the right header "chain end" and replace it? It seems that it would be possible. paul _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
