[mapguide-trac] #168: Can't enumerate sessions via
ENUMERATERESOURCES
MapGuide Open Source
trac_mapguide at osgeo.org
Tue May 29 04:01:12 EDT 2007
#168: Can't enumerate sessions via ENUMERATERESOURCES
------------------------------+---------------------------------------------
Reporter: zspitzer | Owner:
Type: enhancement | Status: new
Priority: medium | Milestone: 1.2
Component: Resource Service | Version: 1.2.0
Severity: minor | Resolution:
Keywords: | External_id:
------------------------------+---------------------------------------------
Comment (by ksgeograf):
If user A knows another sessionID, she can impersonate that user. That is
ok, as the sessionID is not guessable, and should only be transfered over
an encrypted link (eg. SSL). In other words, the sessionID represents an
authentication token.
If the sessionID is compromised, there is no actual added security, as the
map name (and most other resources as well) are highly guessable. It would
merely be an inconvenience for an attacker.
--
Ticket URL: <http://trac.osgeo.org/mapguide/ticket/168#comment:3>
MapGuide Open Source <http://mapguide.osgeo.org/>
MapGuide Open Source Internals
More information about the mapguide-trac
mailing list