On Fri, Jan 27, 2017 at 02:04:59PM -0800, James Bottomley wrote: > if I look at the code I've written, I don't know what the session > number is, I just save sessionHandle in a variable for later use (lets > say to v1). If I got the same session number returned at a later time > and placed it in v2, all I'd notice is that an authorization using v1 > would fail.
Is there any way that could be used to cause an op thinking it is using v1 to authorize something it shouldn't? Jason