From: Tony F. <to...@sy...> - 2006-09-07 19:24:46
|
On Thu, 2006-09-07 at 13:59 -0400, Christopher Murtagh wrote: > > The way the info in the cookies can be used on the URL is. EVERY > browser > > out there will have the same flaw with the cookies. So how is > Dieter to > > fix that? Does he contact Microsoft, Mozilla, KDE, etc. and submit > a > > patch for their browsers? Or does he focus on the SL specific > problems. > > Like I said, this is not a browser or a cookie problem, it is a > design flaw in the application, proof being that our patch solves the > cookie problem completely. ^^^^^^^^^ This is simply not true... The patch simply moves the security responsibility of existing sessions to rely on the strength of the random number generator built into Postgres making it more difficult to hijack a valid session. Saving the the session parameters into the database does makes it impossible to forge sessions though. These two things make this patch stronger than how SQL Ledger works now but it doesn't "completely solve the problem". Oh, and the patch removes the ability to log into SQL Ledger as more that one user from the same browser. There are other ways to solve the problem. Also let me say that I have been in contact with Dieter off list and he is working diligently on a more secure authentication system. I think both of us agree that it won't be to simply adopt this patch though. -- Tony Fraser to...@sy... Sybaspace Internet Solutions System Administrator phone: (250) 246-5368 fax: (250) 246-5398 |