> Hi again, > > > In response to the loss of password hashes for some of our accounts I made up > a random password, and hashed it with the email address and added it to the > database (just like the BOINC functions do) for the affected users. > > However, I am told that even when this was done, when the project was brought > back online after a week of downtime, our moderators (who were in the subset > of affected accounts) were able to access their account details page without > entering a password (they did not know the new password, and I expected them > to have to go through the password recovery option, which they tell me they > did not do). > > So something in BOINC allows users to stay logged in for days at a time, even > if the server goes down. > Is this something that should be looked at too? >
I've just been told, by one of our moderators: > the "auth" cookie contains the account key, so the password isn't required > unless a user doesn't accept cookies (or has deleted it). I admit I am not hot on cookies, so I don't know whether this is good or bad. Jonathan Miller System Administrator Climate Prediction dot Net, University of Oxford Tel: 01865 610680 _______________________________________________ boinc_dev mailing list [email protected] http://lists.ssl.berkeley.edu/mailman/listinfo/boinc_dev To unsubscribe, visit the above URL and (near bottom of page) enter your email address.
