On Fri, Sep 30, 2011 at 12:43 PM, Dmitry Chestnykh <dmi...@codingrobots.com>wrote:
> However, due to the use of plain-text passwords in the old versions and > compatibility with them, it is currently possible to supply password hash > (if you know project-id) instead of the password: > if i'm not mistaken you need both the project ID and the captcha secret (which is random by default). Once we get rid of plain-text passwords, we no longer need constant-time > comparison functions in password-handling code. That leaves cookies, which > are just a 25-byte random blob + project-code + login, and Fossil searches > for that blob in database. > To allow multiple logins for a given user (required for JSON usability reasons) i will eventually need to move the login entries into a separate table (currently stored in the user table). i will wait on any pending changes from you in this area before i do that, since we will probably touch the same code here. -- ----- stephan beal http://wanderinghorse.net/home/stephan/
_______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users