Heads up for login managers
Tomas Mraz
tmraz at redhat.com
Mon Feb 12 18:58:18 UTC 2007
On Mon, 2007-02-12 at 13:41 -0500, David Zeuthen wrote:
> On Mon, 2007-02-12 at 13:36 -0500, Alan Cox wrote:
> > We use a cookie called "uid" and one called "gid".
>
> The problem is that these are not per-session; am not sure why that is
> so difficult to understand.
The session is just uid + time when the user is logged on/active. As
Alan wrote in his other e-mail - you should base the session management
authorization checks on the uid+time notion and use the session cookie
just as advisory. Otherwise you're creating just another path which can
be used to elevate priviledges. But perhaps you already check that in
ConsoleKit - I didn't read the source yet.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
More information about the Fedora-maintainers
mailing list