17 Nov
2009
17 Nov
'09
5:16 p.m.
On Tuesday 17 November 2009, Alex Hermann wrote:
Why is the nonce expiry checked in post_auth instead
of pre_auth? Now the
expiry is checked after the username/password is checked against the DB.
That seems a bit odd.
I moved the check to check_nonce (which is called from pre_auth) and it
seems to work fine. Did I miss something? Security issue?
Also the nonce reusage check is in post_auth. Why not check it before DB
access is done?
Here's the patch by the way.
--
Greetings,
Alex Hermann