> It could result in an upload session takeover. > It depends on the implementation if these tokens are valid for things other > than map data upload.
If you are taking about OAuth tokens I can only reiterate that these tokens alone are not helpful at all. One has to know the token secret, too. And that has to be transmitted only once from the server to the client. Every subsequent request is signed using this secret. So if one is concerned about the CPU resources it would suffice to use SSL for the authentication process if OAuth is used. No upload session can be taken over without knowing the secret. In other words: You can announce your token to the world if you wish and the process would still be secure. Lars _______________________________________________ josm-dev mailing list [email protected] http://lists.openstreetmap.org/listinfo/josm-dev
