Maybe it could be called Remote Key or something and used both for JSON and RSS.
Jeremy From: Jeremy Cowgar Sent: Tuesday, November 22, 2011 4:42 PM To: Fossil SCM user's discussion Subject: Re: [fossil-users] Authentication via URL I just thought of another potential solution, I think maybe the best option yet? On the logout page (where you can also change your password, etc...) provide display “RSS” key. The “RSS Key” could be a hash based on various elements inside the fossil repo, the repo name, the user, the password and of course a few other items hashed over multiple times for security. The user could then access the RSS feed without authentication but with the “RSS Key.” The “RSS Key”, if anyone greps the log for it, would grant them access (until your password was changed) to view what has changed but not any detail. Thus, it is much less of a security hazard. With the Cookie name and value on the URL, anyone sniffing the network or watching logs could gain full access to your fossil repo. Not so with the RSS key idea. I could implement the RSS Key in a very short time. In regards to your JSON login problem, you may wish to implement something similar. Give a remote api key. Let the user login with that key and their password. This secures things a bit more and would make it easier to deal with the SSO problem you are having. Jeremy From: Stephan Beal Sent: Tuesday, November 22, 2011 4:29 PM To: Fossil SCM user's discussion Subject: Re: [fossil-users] Authentication via URL On Tue, Nov 22, 2011 at 10:10 PM, Jeremy Cowgar <jer...@cowgar.com> wrote: That does indeed work PS: on Thursday morning i'll be leaving town for the back woods of northern Germany for 4 days (without a PC), so i'll get the cookie name added to the JSON output tomorrow (Wednesday) evening before i leave. , however, how long will that cookie be active? It should have a time encoded in it as to expire after a period of time. i'll try to answer that for you by tomorrow night as well. It "should" be simple to add the expiry time to the JSON output as well, so that the client can know how long the login will be valid for. -- ----- stephan beal http://wanderinghorse.net/home/stephan/ -------------------------------------------------------------------------------- _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users -------------------------------------------------------------------------------- _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
_______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users