[dev] New token variant (was: Re: [commits] Horde branch master updated. 1e943c0937d592233379d8cac82b89f80861b11c)
Chuck Hagenbuch
chuck at horde.org
Sat Dec 4 03:49:59 UTC 2010
Quoting Gunnar Wrobel <p at rdus.de>:
>>> Questions:
>>>
>>> - Do I need to kill the new "token_key" cookie explicitly on login/logout?
>>
>> Why didn't you re-use the existing Horde_Secret cookie?
>
> The "auth_key"? I wasn't aware that I could reuse it because of the
> name "auth". Will do that.
Maybe this can/should be renamed so that it's clearer? Alternately, do
we really want to be using the same key for encrypting authentication
credentials as for form tokens? Having distinct keys for different
things is a pretty basic encryption best practice...
>>> - Do the current storage solutions we use for "unique tokens" (SQL or file
>>> based) pose a notable problem on large installations? The reason
>>> I'm asking
>>> is because I realized the bloom filter approach in Horde_Nonce is really
>>> only useful to reduce the amount of storage required when
>>> remembering tokens
>>> that have already been used. And in case our current approach is just fine
>>> I would simply delete Horde_Nonce again and rely on the simple stuff I
>>> did in Horde_Token now.
>>
>> I never heard of any problems with those.
>
> Okay, Horde_Nonce will vanish again.
I agree that the bloom filter was really nifty, fwiw. :)
-chuck
More information about the dev
mailing list