On Tue, Oct 11, 2011 at 11:34 PM, Richard Hipp <[email protected]> wrote:
> I don't think this applies to JSON. But correct me if I'm wrong. > It doesn't directly affect it, but it might affect my usage of the authentication cookie. > If the authentication does check out (if the password is correct) then for > CGI programs the web-server sets the REMOTE_USER environment variable to the > login that the web-server authenticated. Fossil will honor this REMOTE_USER > (if the remote_user_ok setting is on) without checking for the login cookie > or any of its usual login mechanisms. > i think i might have a collision/mismatch here when the client passes an invalid/expired authentication token _and_ REMOTE_USER is set, but i need to test this. -- ----- stephan beal http://wanderinghorse.net/home/stephan/
_______________________________________________ fossil-users mailing list [email protected] http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
