Alex Balashov writes: > The problem, as you well know, is that not having the check allows a > user A to impersonate the identity of any other user B, as long as > user A has his own valid credentials for himself.
yes, i well know it and therefore one needs to check if the user really owns the uri or not. to make an automatic invalid check is in my opinion a very bad idea, since according to rfc3261 uri userpart does not have anything to do with user's authentication username. -- juha _______________________________________________ sr-dev mailing list [email protected] http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
