Hey Robin, at the first look that is a fix that prevents people from exploiting the mentioned, but I think it opens a few new security questions, I dont know how relevant they are but:
- XSS attacks to obtain sessionID open the chance to brute force the password offline - A man in die middle attack is even worse, because one could get an exact timestamp Why not use md5(time().user.someRand())? That would raise the possible tokens to the rand intervall and lets say for a rand within 10^5 bruteforce attacks will be impossible. Another important thing, to prevent bruteforcing in common, is to make a log-in penality. Lets say 10 sec penalty after 3 failed logins, server-side implemented. Best wishes, Simon
_______________________________________________ Owncloud mailing list [email protected] https://mail.kde.org/mailman/listinfo/owncloud
