From 6ca865eddba4b77e94c33e7441d28915f8a70c65 Mon Sep 17 00:00:00 2001 From: einhverfr Date: Fri, 17 Nov 2006 02:39:01 +0000 Subject: Updated release notes git-svn-id: https://ledger-smb.svn.sourceforge.net/svnroot/ledger-smb/branches/1.2@646 4979c152-3d1c-0410-bac9-87ea11338e46 --- doc/release_notes | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) (limited to 'doc') diff --git a/doc/release_notes b/doc/release_notes index 24fc427a..a1c6242b 100644 --- a/doc/release_notes +++ b/doc/release_notes @@ -104,17 +104,20 @@ Logins in SQL-Ledger can contain any printable characters. In LedgerSMB these are restricted to alphanumeric characters and the symbols ., @, and -. 4.2: Session handling -SQL-Ledger as of 2.6.17 uses session tokens for authentication. These tokens +SQL-Ledger as of 2.6.17 used session tokens for authentication. These tokens are based on the current timestamp and therefore insecure. Furthermore, these tokens are not tracked on the server, so one can easily forge credentials for -either the main application or the administrative interface. +either the main application or the administrative interface. While this was +corrected in 2.6.18, the solutions chosen by SQL-Ledger (caching the crypted +password by the browser) is not in line with commonly accepted best security +practices. LedgerSMB stores the sessions in the database. These are generated as md5 sums of random numbers and are believed to be reasonably secure. The sessions time -out after a period of inactivity. As of the initial release both -SQL-Ledger-style session ID's and the newer version are required to access the -application. In future versions, the SQL-Ledger style session ID's will -probably be removed. +out after a period of inactivity. In the initial release both +SQL-Ledger-style session ID's and the newer version were required to access the +application. In newer versions, the SQL-Ledger style session ID's have been +removed. 4.3: Database Changes Under certain circumstances where the Chart of Accounts is improperly modified, -- cgit v1.2.3