[hunchentoot-devel] Fwd: hunchentoot session hijacking

Hans Hübner hans at huebner.org
Mon Oct 27 10:16:42 UTC 2008


Hi Anton,

thank you for the patches.  I have committed the CL+SSL patch both
upstream and in my repository.

For the session secret update:

- The name *SESSION-SECRETIZER* really does not cut it.  I would
suggest that *SESSION-SECRET-SALT* is more suitable.
- The docstring and documentation file should be clear about the
expected datatype of the variable (string?)
- I don't like the warning if the only way to set up the salt is
setting the special variable.
- Maybe it would be better to supply the concerned user with a way to
override the ENCODE-SESSION-STRING function instead of having them
mess with the internals of the current session secret encoding
function.

I would like to know what Edi thinks about this before committing this
or any other patch to the repository.

-Hans




More information about the Tbnl-devel mailing list