Roundup Tracker - Issues

Message5945

Author rouilj
Recipients ber, eadler, joseph_myers, rouilj, schlatterbeck
Date 2017-03-19.21:52:03
Message-id <20170319215201.5F57780693@vm71.cs.umb.edu>
In-reply-to <1489943065.8.0.450565123539.issue2550690@psf.upfronthosting.co.za> 
In message <1489943065.8.0.450565123539.issue2550690@psf.upfronthosting.co.za>,
John Rouillard writes:
>I still have to invalidate the token if it is used in a
>get request so the token can't be replayed before it
>times out.
>
>However people should not be using the token in a get request.
>But I also know people will.

Any use of a token now destroys the token when when not using POST,
PUT or DELETE. So GET, HEAD etc. all invalidate the used token.  Tests
for replay attacks using the token with a POST or GET have been added
to the suite.

Also there was a bug in setting token lifetimes and purging expired
tokens. That has been fixed as well and tests updated.
History
Date User Action Args
2017-03-19 21:52:03rouiljsetrecipients: + rouilj, schlatterbeck, ber, joseph_myers, eadler
2017-03-19 21:52:03rouiljlinkissue2550690 messages
2017-03-19 21:52:03rouiljcreate

Supported by The Python Software Foundation,
Powered by Roundup

Last modified: Fri Feb 28 22:02:04 EST 2020