summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authoreinhverfr <einhverfr@4979c152-3d1c-0410-bac9-87ea11338e46>2006-11-17 02:39:01 +0000
committereinhverfr <einhverfr@4979c152-3d1c-0410-bac9-87ea11338e46>2006-11-17 02:39:01 +0000
commit6ca865eddba4b77e94c33e7441d28915f8a70c65 (patch)
tree5084dc91416c4ff217c52c761cbcfc46fd83b12c /doc
parentf2dfc55c790ec2cc83c3a769920390af840ceec1 (diff)
Updated release notes
git-svn-id: https://ledger-smb.svn.sourceforge.net/svnroot/ledger-smb/branches/1.2@646 4979c152-3d1c-0410-bac9-87ea11338e46
Diffstat (limited to 'doc')
-rw-r--r--doc/release_notes15
1 files changed, 9 insertions, 6 deletions
diff --git a/doc/release_notes b/doc/release_notes
index 24fc427a..a1c6242b 100644
--- a/doc/release_notes
+++ b/doc/release_notes
@@ -104,17 +104,20 @@ Logins in SQL-Ledger can contain any printable characters. In LedgerSMB these
are restricted to alphanumeric characters and the symbols ., @, and -.
4.2: Session handling
-SQL-Ledger as of 2.6.17 uses session tokens for authentication. These tokens
+SQL-Ledger as of 2.6.17 used session tokens for authentication. These tokens
are based on the current timestamp and therefore insecure. Furthermore, these
tokens are not tracked on the server, so one can easily forge credentials for
-either the main application or the administrative interface.
+either the main application or the administrative interface. While this was
+corrected in 2.6.18, the solutions chosen by SQL-Ledger (caching the crypted
+password by the browser) is not in line with commonly accepted best security
+practices.
LedgerSMB stores the sessions in the database. These are generated as md5 sums
of random numbers and are believed to be reasonably secure. The sessions time
-out after a period of inactivity. As of the initial release both
-SQL-Ledger-style session ID's and the newer version are required to access the
-application. In future versions, the SQL-Ledger style session ID's will
-probably be removed.
+out after a period of inactivity. In the initial release both
+SQL-Ledger-style session ID's and the newer version were required to access the
+application. In newer versions, the SQL-Ledger style session ID's have been
+removed.
4.3: Database Changes
Under certain circumstances where the Chart of Accounts is improperly modified,