In order to verify that a user is logged in, we check if they have a cookie
of the form:
email:username:isadmin:hash
Where hash is a SHA1 hash of the first three values and the secret key.
Currently the AppServer doesn't verify that the hash actually matches the
hash that the AppServer computes, so a user can set up their own AppScale
instance and once logged into that, log into another user's AppScale
instance with their own credentials.
Working on resolving immediately.
Original issue reported on code.google.com by shattere...@gmail.com on 12 Nov 2009 at 7:47
Original issue reported on code.google.com by
shattere...@gmail.com
on 12 Nov 2009 at 7:47