On 10/29/06, Magnus Henoch <[EMAIL PROTECTED]> wrote:
"Norman Rasmussen" <[EMAIL PROTECTED]> writes: > Psi doesn't like the comma in the resource name (I think it allows > multiple recipients seperated with a comma). You could use date('c') > or date('U') instead,Changed. > or why not login with SASL plain and allow the server to generate a > random resource instead. > > Or better yet, why not login with SASL Anonymous, that way even Gajim > will work :-) Yes, I would do that if class.jabber.php supported SASL ;)
I've been playing with OpenID and using the XEP-0070 example as a source for logic. It was very irritating to have a unique resource all the time because Psi loads each one in a new window. While thinking about what the resource can be set to I noticed a security flaw: - If an attacker can guess what the resource is going to be, then you have a problem. This is a big problem with using time based resources. In fact the default class.jabber way is to hash the time and remote addr, which is just as weak, because the attacker can guess both. I guess the one 'constant' safe way would be to take a salted hash of the jid. That way the resource is constant per jid, and the attacker can't duplicate it. -- - Norman Rasmussen - Email: [EMAIL PROTECTED] - Home page: http://norman.rasmussen.co.za/
