[cosmo-dev] How unique are tickets? (more on security hole
options)
Randy Letness
randy at osafoundation.org
Thu Feb 21 10:15:25 PST 2008
Grant Baillie wrote:
> One thing I was realizing as I was implementing the ticket-generating
> code for the Desktop, is that it's easiest to generate the tickets for
> all shares an item is part of, regardless of which server the item is
> shared on.
>
> Are ticket-ids uniqued enough that this is OK? Also, are there
> security implications ("leaking" tickets to other servers, I guess) I
> should worry about?
>
> It's certainly possible to try to generate tickets for only the server
> we're dealing with, although in practice instances may be shared by
> different server URLs, a well-known case in point being just http: vs
> https: on the Hub. So, I'm somewhat reluctant to go add a bunch of
> logic that may well be broken anyway.
You should be able to just include all tickets. I can't think of any
problems this would cause, other than including some extra data that
will be ignored by the server.
-Randy
More information about the cosmo-dev
mailing list