Updating the cookie driver to use HMAC authentication on all cookie data #1896

Merged
merged 2 commits into from Oct 17, 2012

Conversation

Projects
None yet
4 participants
Contributor

pkriete commented Oct 16, 2012

In response to issue #1888.

Signed-off-by: Pascal Kriete pascal@pascalkriete.com

@pkriete pkriete Updating the cookie driver to use HMAC authentication on all cookie d…
…ata.

Signed-off-by: Pascal Kriete <pascal@pascalkriete.com>
f69f0e8
Contributor

pkriete commented Oct 16, 2012

@narfbg @derekjones @wesbaker Extremely simple fix, but don't want to put in security changes without review.

Contributor

narfbg commented Oct 16, 2012

Looks good to me. 👍

Only ... since we're switching from MD5 to SHA1 and old cookies would be invalidated, a lot of people might get crazy when they read about hacking attempts in their log files. We might want to remove that particular sentence.

Since @TheRook has pointed out this issue and has suggested another solution, we might get an opinion from him as well. Care to comment?

Contributor

alexbilbie commented Oct 16, 2012

I agree with @narfbg, the hacking sentence is a bit scary. But otherwise I'm all for the change.

@pkriete pkriete Changing session error logging verbiage to be a little less unsettling.
Signed-off-by: Pascal Kriete <pascal@pascalkriete.com>
28dc202

pkriete merged commit 72865da into bcit-ci:develop Oct 17, 2012

1 check passed

default The Travis build passed
Details
Contributor

GDmac commented Oct 21, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment