I think this is a good patch and that it should be merged into trunk. On Fri, Sep 30, 2011 at 7:07 AM, Stephan Beal <sgb...@googlemail.com> wrote:
> On Fri, Sep 30, 2011 at 12:43 PM, Dmitry Chestnykh < > dmi...@codingrobots.com> wrote: > >> However, due to the use of plain-text passwords in the old versions and >> compatibility with them, it is currently possible to supply password hash >> (if you know project-id) instead of the password: >> > > if i'm not mistaken you need both the project ID and the captcha secret > (which is random by default). > > Once we get rid of plain-text passwords, we no longer need constant-time >> comparison functions in password-handling code. That leaves cookies, which >> are just a 25-byte random blob + project-code + login, and Fossil searches >> for that blob in database. >> > > To allow multiple logins for a given user (required for JSON usability > reasons) i will eventually need to move the login entries into a separate > table (currently stored in the user table). i will wait on any pending > changes from you in this area before i do that, since we will probably touch > the same code here. > > -- > ----- stephan beal > http://wanderinghorse.net/home/stephan/ > > _______________________________________________ > fossil-users mailing list > fossil-users@lists.fossil-scm.org > http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users > > -- D. Richard Hipp d...@sqlite.org
_______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
