[Act-dev] a few ideas for legacy Act
Philippe Bruhat (BooK)
philippe.bruhat at free.fr
Fri Sep 25 22:16:45 CEST 2015
On Fri, Sep 25, 2015 at 10:35:10AM +0200, Alex Muntada wrote:
> Alex Muntada:
>
> > While there's people already taking care of future Act, I'm also
> > worried by legacy Act, both old, recent and current instances.
>
> Something I forgot to say and that I think it's pretty important
> is adding TLS support to Act instances, starting with those in
> act.yapc.eu.
>
> Has been any previous discussion regarding this matter?
There was no discussion about it.
Yes, the cookie is transmitted with every request, and I know very well
that it can be used to steal sessions... I know because I do it from time
to time, to help users. The only difference is that I pick the session
id from the database directly. ;-)
Only the payments are done over HTTPS, because that part is obviously
handled by the bank. We have no payment information, other than the fact
that the payment for a given order number that we put in the database
has been accepted by the bank.
My memories from the Act hackathon of 2014 is that a bigger security
issue is the hash we use for storing the password information. It is
not very strong. One participant had a proposal for fixing that, but
I don't remember what happened with it.
--
Philippe Bruhat (BooK)
History is made by the winners and written by those with the loudest voices.
(Moral from Groo The Wanderer #10 (Epic))
More information about the Act-dev
mailing list