On Tue, Nov 22, 2011 at 10:10 PM, Jeremy Cowgar <jer...@cowgar.com> wrote:
> That does indeed work, however, how long will that cookie be active? It > should have a time encoded in it as to expire after a period of time. > Otherwise, if someone were to get ahold of the cookie they could use it > indefinitely. > i knew some observant person would ask that ;). i don't remember off hand how long the cookie is valid. When the time expires, the auth token (==the login cookie's value) expires with it. AFAIK the cookie's name does not change as long as the repo's name and shared secret do not change, but i need to verify that. While the code is technically only a few windows away, i'm dead tired and won't get around to looking at it this evening. There is a secondary problem with this approach which i failed to mention earlier: fossil's current login mechanism does not support multiple logins for one user. Each successful login generates a new auth token, so the most recent login wins, so to say. This is high on my own person list of fixmes because the single-login restriction poses a severe usability problem for the JSON API. That said, fixing it requires touching/restructuring some internal bits of fossil which need careful consideration before touching them, and i cannot currently give a guestimate as to when this will be resolved. -- ----- stephan beal http://wanderinghorse.net/home/stephan/
_______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
