[Act-dev] a few ideas for legacy Act

Philippe Bruhat (BooK) philippe.bruhat at free.fr
Fri Sep 25 22:16:45 CEST 2015

On Fri, Sep 25, 2015 at 10:35:10AM +0200, Alex Muntada wrote:
> Alex Muntada:
> > While there's people already taking care of future Act, I'm also
> > worried by legacy Act, both old, recent and current instances.
> Something I forgot to say and that I think it's pretty important
> is adding TLS support to Act instances, starting with those in
> act.yapc.eu.
> Has been any previous discussion regarding this matter?

There was no discussion about it.

Yes, the cookie is transmitted with every request, and I know very well
that it can be used to steal sessions... I know because I do it from time
to time, to help users. The only difference is that I pick the session
id from the database directly. ;-)

Only the payments are done over HTTPS, because that part is obviously
handled by the bank. We have no payment information, other than the fact
that the payment for a given order number that we put in the database
has been accepted by the bank.

My memories from the Act hackathon of 2014 is that a bigger security
issue is the hash we use for storing the password information. It is
not very strong. One participant had a proposal for fixing that, but
I don't remember what happened with it.

 Philippe Bruhat (BooK)

 History is made by the winners and written by those with the loudest voices.
                                    (Moral from Groo The Wanderer #10 (Epic))

More information about the Act-dev mailing list