On Tue, 14 Dec 2004 11:17:50 -0600, Jason Hildebrand wrote:
> On Mon, 2004-12-13 at 20:23 -0500, Winston Wolff wrote:
>
>> Are other people getting failures if they run this? I get 10
>> failures out of 23 tests.
>>
>
>> cd Webware/UserKit/Tests/
>> python Test.py
>>
>
> I get 29 failures out of 6
On Mon, 2004-12-13 at 20:23 -0500, Winston Wolff wrote:
> Are other people getting failures if they run this? I get 10 failures
> out of 23 tests.
> cd Webware/UserKit/Tests/
> python Test.py
I get 29 failures out of 61 tests. I don't know why it's trying to run
more tests than it d
On Dec 13, 2004, at 5:23 PM, Winston Wolff wrote:
Are other people getting failures if they run this? I get 10 failures
out of 23 tests.
cd Webware/UserKit/Tests/
python Test.py
-winston
The notes in the UserKit source say that it is unfinished. If the tests
were written before
Baruch Even <[EMAIL PROTECTED]> wrote:
>
>* Ian Bicking <[EMAIL PROTECTED]> [011012 00:06]:
>> After reading your article, a non-SSL solution occurred to me. You
>> can implement MD5 on the client through Javascript (see
>> http://pajhome.org.uk/crypt/md5/md5src.html), and it's not even a very
>>
* Ian Bicking <[EMAIL PROTECTED]> [011012 00:06]:
> Baruch Even <[EMAIL PROTECTED]> wrote:
> > If someone can sniff out your session, he can easily fake the TCP/IP
> > connection with ease.
>
> Really? I understand how sniffing works (though with proxies there's
> potentially other ways that coo
Chuck Esterbrook <[EMAIL PROTECTED]> wrote:
>
>The idea behind externalId is that you could safely use it externally to
>refer to a user. Safely means that 1. it would be hard for someone to guess
>(and therefore impersonate another user) and 2. would not reveal private
>information about the u
At 05:39 PM 10/11/2001 -0400, Geoff Talvola wrote:
>Sure. Just make a longer random number to use as the random part of the
>session ID.
>
>Actually, a bigger flaw may be in relying on Python's pseudo-random number
>generator. Suppose you send a quick flurry of ten requests to WebKit,
>theref
At 01:48 PM 10/11/01 -0700, you wrote:
>At 04:38 PM 10/11/2001 -0400, Geoff Talvola wrote:
>>I could write a program that keeps on trying random session IDs with the
>>date/time part of the session ID set to a couple of minutes ago, so the
>>session is likely to still be around. It might take h
larly.
Thanks for the help,
-Aaron
- Original Message -
From: "Chuck Esterbrook" <[EMAIL PROTECTED]>
To: "Aaron Held" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Thursday, October 11, 2001 3:14 PM
Subject: Re: [Webware-devel] UserKit
> At 02:56 PM 10/
Baruch Even <[EMAIL PROTECTED]> wrote:
> If someone can sniff out your session, he can easily fake the TCP/IP
> connection with ease.
Really? I understand how sniffing works (though with proxies there's
potentially other ways that cookies can be spied on), but I don't
really know how IP address
Geoff Talvola <[EMAIL PROTECTED]> wrote:
> I could write a program that keeps on trying random session IDs with the
> date/time part of the session ID set to a couple of minutes ago, so the
> session is likely to still be around. It might take hundreds of thousands
> of tries but it would even
At 04:38 PM 10/11/2001 -0400, Geoff Talvola wrote:
>I could write a program that keeps on trying random session IDs with the
>date/time part of the session ID set to a couple of minutes ago, so the
>session is likely to still be around. It might take hundreds of thousands
>of tries but it woul
At 01:29 PM 10/11/01 -0700, Chuck Esterbrook wrote:
>Okay, so I'm curious how you would actually guess a session on my server?
>You need to get a number between 0 and 9 AND you need to know the
>exact date, including second, that the session was created.
>
>You say that "only the last 5 digi
* Ian Bicking <[EMAIL PROTECTED]> [011011 22:23]:
> Geoff Talvola <[EMAIL PROTECTED]> wrote:
> > That reminds me of something I meant to bring up a while ago. Session IDs
> > are currently not very random. Only the last 5 digits are actually random
> > -- the rest of it is just the current tim
At 03:29 PM 10/11/2001 -0400, Geoff Talvola wrote:
>That reminds me of something I meant to bring up a while ago. Session IDs
>are currently not very random. Only the last 5 digits are actually random
>-- the rest of it is just the current time expressed as a string.
>
>This could be a securit
At 03:29 PM 10/11/2001 -0400, Geoff Talvola wrote:
>At 12:14 PM 10/11/01 -0700, Chuck Esterbrook wrote:
>>The idea behind externalId is that you could safely use it externally to
>>refer to a user. Safely means that 1. it would be hard for someone to
>>guess (and therefore impersonate another us
Geoff Talvola <[EMAIL PROTECTED]> wrote:
> That reminds me of something I meant to bring up a while ago. Session IDs
> are currently not very random. Only the last 5 digits are actually random
> -- the rest of it is just the current time expressed as a string.
>
> This could be a security hol
At 12:14 PM 10/11/01 -0700, Chuck Esterbrook wrote:
>The idea behind externalId is that you could safely use it externally to
>refer to a user. Safely means that 1. it would be hard for someone to
>guess (and therefore impersonate another user) and 2. would not reveal
>private information about
At 02:56 PM 10/11/2001 -0400, Aaron Held wrote:
>Are any of the timout functions in the UserManager classes
>(cachedUserTimeout()) implemented?
>They do not seem to be used anywhere.
>
>Also what is External ID used for? For an I was planning to map -
>User.name = email address
>User.SerialNum =
19 matches
Mail list logo
