On Sep 30, 2011, at 16:15 , Stephan Beal wrote:
> On Fri, Sep 30, 2011 at 4:02 PM, Dmitry Chestnykh <dmi...@codingrobots.com>
> wrote:
> I have attached a patch to sha.c with HMAC implementation, and double-signing.
>
> :-D
>
> Basically, if zKey is a random secret string stored in the database, and
> zRest is a concatenation of the values you want to store in the cookie (e.g.
> login/ip-address/project-code):
>
> So zKey is the per-user secret or repo secret? If i understand correctly,
> this change just replaces the repo secret with user secret. Is that correct?
If you want "Log out all my sessions" button in addition to "Log out this
session", then it's a per-user secret. If it's per-repository secret, then "log
out all my sessions" is not possible. That's speaking of registered users.
For anonymous users, the current code is basically what I'm proposing, but
instead of HMAC it uses plain SHA1 of concatenation of per-repository secret
("captcha-secret") and /TIME/IPADDR (HMAC is better, but the current code is OK
too).
> Will this be part of the timing-based change which Richard asked be put in
> the trunk? If so, i'll wait until it's in there.
No. Maybe we should create a new branch for overhaul of cookie code to allow
multiple sessions?
--
Dmitry Chestnykh
_______________________________________________
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
