Em Thursday 14 February 2008 19:22:18 Christoph Zwerschke escreveu: > > Ok, that's more plausible than the MonkeyDecodingFilter patch. In fact > these lines were changed after 1.0.3.2 (since the SVN tag was modified > later, I assumed the MonkeyDecodingFilter was the only larger change). > > One explanation why this cookie expiration patch may be problematic is > that the "expires" attribute makes MSIE regard the cookie as persistent > (i.e. not a session cookie) and thus apply a different security level > that inhibits the cookie. > > In fact I consider it also a security risk to set the expires attribute. > If you close your browser and leave your PC switched on, anybody can > reactivate your session within the session timeout, without logging in. > > And another problem may appear when the times on the server and client > are not in sync or time zones not computed correctly. > > So I think that patch should be reverted.
+1 from me and also for a 1.0.4.5 release... -- Jorge Godoy <[EMAIL PROTECTED]> --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to turbogears@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears?hl=en -~----------~----~----~----~------~----~------~--~---