Follow-up Comment #4, bug #6693 (project savane):
> I would not be surprised that "only 1 session" feature is not largelly
used, as it was not included in any release, it exists only on SVN.
LOL :)
Ok, so it's probably good to send the user_id and session_hash to the browser
website so that it authenticates using those (and still creates a new session
in the case where brother_website is actually separate).
On a related matter (again), I see that the brother website accepts
authentication directly on the encrypted password.
I think that's not good: getting access to one user's encrypted password
therefore means you can actually login under that user - without knowing the
real password.
I think it is better to send the actual password via TLS to the brother
website (instead of the crypted form). Since the password was also just sent
via TLS to the original website, the security was not loosened.
_______________________________________________________
Reply to this item at:
<http://gna.org/bugs/?func=detailitem&item_id=6693>
_______________________________________________
Message posté via/par Gna!
http://gna.org/
_______________________________________________
Savane-dev mailing list
[email protected]
https://mail.gna.org/listinfo/savane-dev
