Menu
▾
▴
RE: session management
|
From: Dr D. <drd...@ho...> - 2002-03-03 09:12:21
|
Whoever comes to the Whitehouse Computer keyboard can very possibly press the button for Full Global Nuclear War. That's why they only let chosen (elected) fools do that.. Besides, somehow it seems unfair to me to blame Dieter for Microsoft's well spread security bugs. Workaround one: disable the 'remember my password' bit in IE and you are halfway there.. Workaround two: disable windows and install linux -----Original Message----- From: sql...@li... [mailto:sql...@li...] On Behalf Of Sergio A. Kessler Sent: zondag 3 maart 2002 1:58 To: Dieter Simader Cc: Kenneth Gonsalves; sql...@li... Subject: Re: session management /me knocks my embarrased head... ok, anyway, while we are at it: whoever come to my computer can log in my name, as the url (with the encrypted passwd) stay in the browser cache... (thanks to url completion features in IE, mozilla et al) I just type "aba" in my browser and he show me many urls to access sql-ledger bypassing the login dialog, for example, this: http://abacus.sql-ledger.org/sql-ledger/menu.pl?path=bin/mozilla&action= acc_ menu&login=sergio&password= note the passwd IS there (it's just blank), so skipping the login dialog is just too easy, even it happened me accidently... and that can be a big security problem in bussiness... /sergio ----- Original Message ----- From: "Dieter Simader" <dsi...@sq...> > There is no session management in SQL-Ledger. > > If you have session management than you are not using the official > version of SQL-Ledger. > > I suggest you complain to whoever added session managment. > > > Dieter Simader http://www.sql-ledger.org (780) 472-8161 > DWS Systems Inc. Accounting Software Fax: 478-5281 > =========== On a clear disk you can seek forever =========== > > On Sat, 2 Mar 2002, Sergio A. Kessler wrote: > > > a solution would be to use http auth > > (wich is a lot more simple than sessions), > > but dieter is against it :( > > > > /sergio > > > > ----- Original Message ----- > > From: "Kenneth Gonsalves" <la...@th...> > > > > > > > hi > > > problem: > > > user starts a session on a web based app. connection gets cut. he > > > re-establishes connection and tries to login. message - 'already logged in > > > get lost'. he has to wait anything upto 30 minutes for his > > > previous > > session > > > to expire before being able to do his work. any solution for this? > > > kg > > > > > > > > > > > > > |
