[Act-dev] a few ideas for legacy Act
Theo Van Hoesel
th.j.v.hoesel at gmail.com
Fri Sep 25 23:12:39 CEST 2015
On the otherhand...
Act-Voyager requires the REST-api to run over HTTPS, and has username/password sent with 'unsafe' methods (that has nothing to do with HTTPS) ... but that had not yet been switched on for it
Sent from my iPhone
> On 25 Sep 2015, at 21:16, Philippe Bruhat (BooK) <philippe.bruhat at free.fr> wrote:
>> On Fri, Sep 25, 2015 at 10:35:10AM +0200, Alex Muntada wrote:
>> Alex Muntada:
>>> While there's people already taking care of future Act, I'm also
>>> worried by legacy Act, both old, recent and current instances.
>> Something I forgot to say and that I think it's pretty important
>> is adding TLS support to Act instances, starting with those in
>> Has been any previous discussion regarding this matter?
> There was no discussion about it.
> Yes, the cookie is transmitted with every request, and I know very well
> that it can be used to steal sessions... I know because I do it from time
> to time, to help users. The only difference is that I pick the session
> id from the database directly. ;-)
> Only the payments are done over HTTPS, because that part is obviously
> handled by the bank. We have no payment information, other than the fact
> that the payment for a given order number that we put in the database
> has been accepted by the bank.
> My memories from the Act hackathon of 2014 is that a bigger security
> issue is the hash we use for storing the password information. It is
> not very strong. One participant had a proposal for fixing that, but
> I don't remember what happened with it.
> Philippe Bruhat (BooK)
> History is made by the winners and written by those with the loudest voices.
> (Moral from Groo The Wanderer #10 (Epic))
> Act-dev mailing list
> Act-dev at mongueurs.net
More information about the Act-dev