Menu
▾
▴
Re: session management
|
From: Sergio A. K. <ser...@ho...> - 2002-03-03 01:30:10
|
/me knocks my embarrased head... ok, anyway, while we are at it: whoever come to my computer can log in my name, as the url (with the encrypted passwd) stay in the browser cache... (thanks to url completion features in IE, mozilla et al) I just type "aba" in my browser and he show me many urls to access sql-ledger bypassing the login dialog, for example, this: http://abacus.sql-ledger.org/sql-ledger/menu.pl?path=bin/mozilla&action=acc_ menu&login=sergio&password= note the passwd IS there (it's just blank), so skipping the login dialog is just too easy, even it happened me accidently... and that can be a big security problem in bussiness... /sergio ----- Original Message ----- From: "Dieter Simader" <dsi...@sq...> > There is no session management in SQL-Ledger. > > If you have session management than you are not using the official version > of SQL-Ledger. > > I suggest you complain to whoever added session managment. > > > Dieter Simader http://www.sql-ledger.org (780) 472-8161 > DWS Systems Inc. Accounting Software Fax: 478-5281 > =========== On a clear disk you can seek forever =========== > > On Sat, 2 Mar 2002, Sergio A. Kessler wrote: > > > a solution would be to use http auth > > (wich is a lot more simple than sessions), > > but dieter is against it :( > > > > /sergio > > > > ----- Original Message ----- > > From: "Kenneth Gonsalves" <la...@th...> > > > > > > > hi > > > problem: > > > user starts a session on a web based app. connection gets cut. he > > > re-establishes connection and tries to login. message - 'already logged in > > > get lost'. he has to wait anything upto 30 minutes for his previous > > session > > > to expire before being able to do his work. any solution for this? > > > kg > > > > > > > > > > > > > |
