On Mon, 2007-02-12 at 13:41 -0500, David Zeuthen wrote:
> On Mon, 2007-02-12 at 13:36 -0500, Alan Cox wrote:
> > We use a cookie called "uid" and one called "gid".
>
> The problem is that these are not per-session; am not sure why that is
> so difficult to understand.
The session is just uid + time when the user is logged on/active. As
Alan wrote in his other e-mail - you should base the session management
authorization checks on the uid+time notion and use the session cookie
just as advisory. Otherwise you're creating just another path which can
be used to elevate priviledges. But perhaps you already check that in
ConsoleKit - I didn't read the source yet.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
--
Fedora-maintainers mailing list
Fedora-maintainers@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-maintainers
--
Fedora-maintainers-readonly mailing list
Fedora-maintainers-readonly@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-maintainers-readonly
