Em Thursday 14 February 2008 19:22:18 Christoph Zwerschke escreveu:
>
> Ok, that's more plausible than the MonkeyDecodingFilter patch. In fact
> these lines were changed after 1.0.3.2 (since the SVN tag was modified
> later, I assumed the MonkeyDecodingFilter was the only larger change).
>
> One explanation why this cookie expiration patch may be problematic is
> that the "expires" attribute makes MSIE regard the cookie as persistent
> (i.e. not a session cookie) and thus apply a different security level
> that inhibits the cookie.
>
> In fact I consider it also a security risk to set the expires attribute.
> If you close your browser and leave your PC switched on, anybody can
> reactivate your session within the session timeout, without logging in.
>
> And another problem may appear when the times on the server and client
> are not in sync or time zones not computed correctly.
>
> So I think that patch should be reverted.

+1 from me and also for a 1.0.4.5 release...

-- 
Jorge Godoy      <[EMAIL PROTECTED]>


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"TurboGears" group.
To post to this group, send email to turbogears@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/turbogears?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to