get_user_info doesn't verify hash

[GoogleCodeExporter]

In order to verify that a user is logged in, we check if they have a cookie
of the form:

email:username:isadmin:hash

Where hash is a SHA1 hash of the first three values and the secret key.
Currently the AppServer doesn't verify that the hash actually matches the
hash that the AppServer computes, so a user can set up their own AppScale
instance and once logged into that, log into another user's AppScale
instance with their own credentials.

Working on resolving immediately.

Original issue reported on code.google.com by shattere...@gmail.com on 12 Nov 2009 at 7:47

[GoogleCodeExporter]

The cookie information is now ignored if the hash does not match.

Original comment by nlak...@gmail.com on 13 Nov 2009 at 12:52

• Changed state: Fixed