Message5945
In message <1489943065.8.0.450565123539.issue2550690@psf.upfronthosting.co.za>,
John Rouillard writes:
>I still have to invalidate the token if it is used in a
>get request so the token can't be replayed before it
>times out.
>
>However people should not be using the token in a get request.
>But I also know people will.
Any use of a token now destroys the token when when not using POST,
PUT or DELETE. So GET, HEAD etc. all invalidate the used token. Tests
for replay attacks using the token with a POST or GET have been added
to the suite.
Also there was a bug in setting token lifetimes and purging expired
tokens. That has been fixed as well and tests updated. |
|
Date |
User |
Action |
Args |
2017-03-19 21:52:03 | rouilj | set | recipients:
+ rouilj, schlatterbeck, ber, joseph_myers, eadler |
2017-03-19 21:52:03 | rouilj | link | issue2550690 messages |
2017-03-19 21:52:03 | rouilj | create | |
|