Menu
▾
▴
sql-ledger-users
|
From: Kenneth G. <la...@th...> - 2002-03-02 06:51:34
|
hi problem: user starts a session on a web based app. connection gets cut. he re-establishes connection and tries to login. message - 'already logged in get lost'. he has to wait anything upto 30 minutes for his previous session to expire before being able to do his work. any solution for this? kg |
|
From: Sergio A. K. <ser...@ho...> - 2002-03-02 16:45:51
|
a solution would be to use http auth (wich is a lot more simple than sessions), but dieter is against it :( /sergio ----- Original Message ----- From: "Kenneth Gonsalves" <la...@th...> > hi > problem: > user starts a session on a web based app. connection gets cut. he > re-establishes connection and tries to login. message - 'already logged in > get lost'. he has to wait anything upto 30 minutes for his previous session > to expire before being able to do his work. any solution for this? > kg > > |
|
From: Dieter S. <dsi...@sq...> - 2002-03-02 20:45:29
|
There is no session management in SQL-Ledger. If you have session management than you are not using the official version of SQL-Ledger. I suggest you complain to whoever added session managment. Dieter Simader http://www.sql-ledger.org (780) 472-8161 DWS Systems Inc. Accounting Software Fax: 478-5281 =========== On a clear disk you can seek forever =========== On Sat, 2 Mar 2002, Sergio A. Kessler wrote: > a solution would be to use http auth > (wich is a lot more simple than sessions), > but dieter is against it :( > > /sergio > > ----- Original Message ----- > From: "Kenneth Gonsalves" <la...@th...> > > > > hi > > problem: > > user starts a session on a web based app. connection gets cut. he > > re-establishes connection and tries to login. message - 'already logged in > > get lost'. he has to wait anything upto 30 minutes for his previous > session > > to expire before being able to do his work. any solution for this? > > kg > > > > > > |
|
From: Sergio A. K. <ser...@ho...> - 2002-03-03 01:30:10
|
/me knocks my embarrased head... ok, anyway, while we are at it: whoever come to my computer can log in my name, as the url (with the encrypted passwd) stay in the browser cache... (thanks to url completion features in IE, mozilla et al) I just type "aba" in my browser and he show me many urls to access sql-ledger bypassing the login dialog, for example, this: http://abacus.sql-ledger.org/sql-ledger/menu.pl?path=bin/mozilla&action=acc_ menu&login=sergio&password= note the passwd IS there (it's just blank), so skipping the login dialog is just too easy, even it happened me accidently... and that can be a big security problem in bussiness... /sergio ----- Original Message ----- From: "Dieter Simader" <dsi...@sq...> > There is no session management in SQL-Ledger. > > If you have session management than you are not using the official version > of SQL-Ledger. > > I suggest you complain to whoever added session managment. > > > Dieter Simader http://www.sql-ledger.org (780) 472-8161 > DWS Systems Inc. Accounting Software Fax: 478-5281 > =========== On a clear disk you can seek forever =========== > > On Sat, 2 Mar 2002, Sergio A. Kessler wrote: > > > a solution would be to use http auth > > (wich is a lot more simple than sessions), > > but dieter is against it :( > > > > /sergio > > > > ----- Original Message ----- > > From: "Kenneth Gonsalves" <la...@th...> > > > > > > > hi > > > problem: > > > user starts a session on a web based app. connection gets cut. he > > > re-establishes connection and tries to login. message - 'already logged in > > > get lost'. he has to wait anything upto 30 minutes for his previous > > session > > > to expire before being able to do his work. any solution for this? > > > kg > > > > > > > > > > > > > |
|
From: Dr D. <drd...@ho...> - 2002-03-03 09:12:21
|
Whoever comes to the Whitehouse Computer keyboard can very possibly press the button for Full Global Nuclear War. That's why they only let chosen (elected) fools do that.. Besides, somehow it seems unfair to me to blame Dieter for Microsoft's well spread security bugs. Workaround one: disable the 'remember my password' bit in IE and you are halfway there.. Workaround two: disable windows and install linux -----Original Message----- From: sql...@li... [mailto:sql...@li...] On Behalf Of Sergio A. Kessler Sent: zondag 3 maart 2002 1:58 To: Dieter Simader Cc: Kenneth Gonsalves; sql...@li... Subject: Re: session management /me knocks my embarrased head... ok, anyway, while we are at it: whoever come to my computer can log in my name, as the url (with the encrypted passwd) stay in the browser cache... (thanks to url completion features in IE, mozilla et al) I just type "aba" in my browser and he show me many urls to access sql-ledger bypassing the login dialog, for example, this: http://abacus.sql-ledger.org/sql-ledger/menu.pl?path=bin/mozilla&action= acc_ menu&login=sergio&password= note the passwd IS there (it's just blank), so skipping the login dialog is just too easy, even it happened me accidently... and that can be a big security problem in bussiness... /sergio ----- Original Message ----- From: "Dieter Simader" <dsi...@sq...> > There is no session management in SQL-Ledger. > > If you have session management than you are not using the official > version of SQL-Ledger. > > I suggest you complain to whoever added session managment. > > > Dieter Simader http://www.sql-ledger.org (780) 472-8161 > DWS Systems Inc. Accounting Software Fax: 478-5281 > =========== On a clear disk you can seek forever =========== > > On Sat, 2 Mar 2002, Sergio A. Kessler wrote: > > > a solution would be to use http auth > > (wich is a lot more simple than sessions), > > but dieter is against it :( > > > > /sergio > > > > ----- Original Message ----- > > From: "Kenneth Gonsalves" <la...@th...> > > > > > > > hi > > > problem: > > > user starts a session on a web based app. connection gets cut. he > > > re-establishes connection and tries to login. message - 'already logged in > > > get lost'. he has to wait anything upto 30 minutes for his > > > previous > > session > > > to expire before being able to do his work. any solution for this? > > > kg > > > > > > > > > > > > > |
|
From: Sergio A. K. <ser...@ho...> - 2002-03-03 18:46:10
|
I think you don't understand a single bit of what I said,
please re-read my mail...
1) I'm not blaming dieter.
2) it's not about microsoft security bugs.
("it's not a bug, it's a feature, stupid")
3) it's not about windows.
4) it's not about IE
1a) I'm not blaming anyone, I just point to what *I* believe
it's a security problem.
2a) I'm not pointing bugs in microsoft software,
the url completion is a *normal* feature (in many browsers now).
3a) it happens on linux too.
4a) it happens on mozilla too.
please, keep your anti-microsoft propaganda to yourself
and try to be constructive instead of bashing left & rigth.
/sergio
pd: if you want to continue the flaming, instead of trying
to help, mail me privately, no need to bother other people.
----- Original Message -----
From: "Dr Default" <drd...@ho...>
> Whoever comes to the Whitehouse Computer keyboard can very possibly
> press the button for
> Full Global Nuclear War. That's why they only let chosen (elected) fools
> do that..
> Besides, somehow it seems unfair to me to blame Dieter for Microsoft's
> well spread security bugs.
> Workaround one: disable the 'remember my password' bit in IE and you are
> halfway there..
> Workaround two: disable windows and install linux
>
> -----Original Message-----
> From: sql...@li...
> [mailto:sql...@li...] On Behalf Of
> Sergio A. Kessler
> Sent: zondag 3 maart 2002 1:58
> To: Dieter Simader
> Cc: Kenneth Gonsalves; sql...@li...
> Subject: Re: session management
>
>
> /me knocks my embarrased head...
>
> ok, anyway, while we are at it: whoever come to my computer
> can log in my name, as the url (with the encrypted passwd)
> stay in the browser cache...
> (thanks to url completion features in IE, mozilla et al)
>
> I just type "aba" in my browser and he show me many
> urls to access sql-ledger bypassing the login dialog,
> for example, this:
> http://abacus.sql-ledger.org/sql-ledger/menu.pl?path=bin/mozilla&action=
> acc_
> menu&login=sergio&password=
>
> note the passwd IS there (it's just blank), so skipping the login dialog
> is just too easy, even it happened me accidently...
>
> and that can be a big security problem in bussiness...
>
> /sergio
>
> ----- Original Message -----
> From: "Dieter Simader" <dsi...@sq...>
>
>
> > There is no session management in SQL-Ledger.
> >
> > If you have session management than you are not using the official
> > version of SQL-Ledger.
> >
> > I suggest you complain to whoever added session managment.
> >
> >
> > Dieter Simader http://www.sql-ledger.org (780) 472-8161
> > DWS Systems Inc. Accounting Software Fax: 478-5281
> > =========== On a clear disk you can seek forever ===========
> >
> > On Sat, 2 Mar 2002, Sergio A. Kessler wrote:
> >
> > > a solution would be to use http auth
> > > (wich is a lot more simple than sessions),
> > > but dieter is against it :(
> > >
> > > /sergio
> > >
> > > ----- Original Message -----
> > > From: "Kenneth Gonsalves" <la...@th...>
> > >
> > >
> > > > hi
> > > > problem:
> > > > user starts a session on a web based app. connection gets cut. he
> > > > re-establishes connection and tries to login. message - 'already
> logged in
> > > > get lost'. he has to wait anything upto 30 minutes for his
> > > > previous
> > > session
> > > > to expire before being able to do his work. any solution for this?
>
> > > > kg
|
|
From: kevin b. <kev...@bi...> - 2002-03-04 17:41:14
|
hi there first thing - i am not an HTML/PERL expert - but... is there no way that perl can effecitvely wipe any password when the page loads - and then it is only the button/submit event which requests the login. again - not my area of expertise etc. but surely we should find a way to sort out this potential security risk, kev bailey >>/me knocks my embarrased head... >> >>ok, anyway, while we are at it: whoever come to my computer >>can log in my name, as the url (with the encrypted passwd) >>stay in the browser cache... >>(thanks to url completion features in IE, mozilla et al) >> >>I just type "aba" in my browser and he show me many >>urls to access sql-ledger bypassing the login dialog, >>for example, this: >>http://abacus.sql-ledger.org/sql-ledger/menu.pl?path=bin/mozilla&action= >>acc_ >>menu&login=sergio&password= >> >>note the passwd IS there (it's just blank), so skipping the login dialog >>is just too easy, even it happened me accidently... >> >>and that can be a big security problem in bussiness... >> >>/sergio >> |
|
From: Dieter S. <dsi...@sq...> - 2002-03-04 18:03:00
|
This apparent *security risk* is not a security risk at all. If you are concerned about other people accessing your terminal then you log off, or activate your screen saver, simple enough! Dieter Simader http://www.sql-ledger.org (780) 472-8161 DWS Systems Inc. Accounting Software Fax: 478-5281 =========== On a clear disk you can seek forever =========== On Mon, 4 Mar 2002, kevin bailey wrote: > hi there > > first thing - i am not an HTML/PERL expert - but... > > is there no way that perl can effecitvely wipe any password when the > page loads - and then it is only the button/submit event which requests > the login. > > again - not my area of expertise etc. but surely we should find a way to > sort out this potential security risk, > > kev bailey |
|
From: Sergio A. K. <ser...@ho...> - 2002-03-05 00:12:28
|
dieter, sometimes things are not that simple... for example, rigth now, in my company (not a big one) one of boys in charge of accounting is in vacations, and other female employee took his place (using another username of course) using *the same* computer of the boy... (we are not using sql-ledger, by the way) in my previous work (at a university) allmost all computers were shared betwen users, in fact, in that place there were employees using the computer at the morning, and others users using the same computer past midday... all this using win98, a monouser system... I understand you don't want to add http auth because dnhttpd doesn't support it, and I respect your desicion... (also I understand this is not a big priority) /sergio ----- Original Message ----- From: "Dieter Simader" <dsi...@sq...> > This apparent *security risk* is not a security risk at all. > > If you are concerned about other people accessing your terminal then you > log off, or activate your screen saver, simple enough! > > > Dieter Simader http://www.sql-ledger.org (780) 472-8161 > DWS Systems Inc. Accounting Software Fax: 478-5281 > =========== On a clear disk you can seek forever =========== > > On Mon, 4 Mar 2002, kevin bailey wrote: > > > hi there > > > > first thing - i am not an HTML/PERL expert - but... > > > > is there no way that perl can effecitvely wipe any password when the > > page loads - and then it is only the button/submit event which requests > > the login. > > > > again - not my area of expertise etc. but surely we should find a way to > > sort out this potential security risk, > > > > kev bailey > > > |
|
From: Dieter S. <dsi...@sq...> - 2002-03-05 16:38:10
|
Sergio, you can easily add http authentication. In fact I make a reference to this in the FAQ, under section Security. However, session control has nothing to do with http authentication. Dieter Simader http://www.sql-ledger.org (780) 472-8161 DWS Systems Inc. Accounting Software Fax: 478-5281 =========== On a clear disk you can seek forever =========== On Mon, 4 Mar 2002, Sergio A. Kessler wrote: > dieter, sometimes things are not that simple... > > for example, rigth now, in my company (not a big one) > one of boys in charge of accounting is in vacations, > and other female employee took his place (using another > username of course) using *the same* computer of the boy... > (we are not using sql-ledger, by the way) > > in my previous work (at a university) allmost all > computers were shared betwen users, in fact, in that > place there were employees using the computer at the > morning, and others users using the same computer > past midday... > > all this using win98, a monouser system... > > I understand you don't want to add http auth because > dnhttpd doesn't support it, and I respect your desicion... > (also I understand this is not a big priority) > > /sergio |
|
From: Kenneth G. <la...@th...> - 2002-03-03 14:51:41
|
sorry about this - this question was not meant for this list, my finger slipped in the address book kg On Sunday 03 March 2002 02:15, Dieter Simader wrote: > There is no session management in SQL-Ledger. > > If you have session management than you are not using the official version > of SQL-Ledger. > > I suggest you complain to whoever added session managment. > > > Dieter Simader http://www.sql-ledger.org (780) 472-8161 > DWS Systems Inc. Accounting Software Fax: 478-5281 > =========== On a clear disk you can seek forever =========== > > On Sat, 2 Mar 2002, Sergio A. Kessler wrote: > > a solution would be to use http auth > > (wich is a lot more simple than sessions), > > but dieter is against it :( > > > > /sergio > > > > ----- Original Message ----- > > From: "Kenneth Gonsalves" <la...@th...> > > > > > hi > > > problem: > > > user starts a session on a web based app. connection gets cut. he > > > re-establishes connection and tries to login. message - 'already logged > > > in get lost'. he has to wait anything upto 30 minutes for his previous > > > > session > > > > > to expire before being able to do his work. any solution for this? > > > kg |
Thanks for helping keep SourceForge clean.
X