[Freeipa-devel] [PATCH 64] Implement password based session login
Rob Crittenden
rcritten at redhat.com
Sun Feb 26 21:40:54 UTC 2012
John Dennis wrote:
> On 02/26/2012 03:54 PM, John Dennis wrote:
>> I assume you're running the script I attached. The reason why you keep
>> getting new sessions is because the script does not send the previous
>> cookie back, from the server's perspective these all appear to be new
>> login requests. Sessions are not tracked by user, they are tracked by
>> session id.
>
> I should have added that if this was being invoked from the browser UI
> like it is intended to be the cookie would be retransmitted by the
> browser and you wouldn't see this behavior. I think what you're seeing
> is an artifact of the clumsy way I cobbled together a test since we
> don't have a UI yet. But I will verify this in a little while.
>
I would have expected to have gotten a brand new session with each
request and yet it seems to be associating existing sessions as well.
I'm fine with a new session each time but otherwise this could leak data.
rob
More information about the Freeipa-devel
mailing list