Remove ultimately unused feature of saving params from the first call in the session: it's probably too open to abuse.

This commit is contained in:
David Baker 2015-04-23 14:44:12 +01:00
parent a2c10d37d7
commit 0eb61a3d16
1 changed files with 10 additions and 2 deletions

View File

@ -78,8 +78,16 @@ class AuthHandler(BaseHandler):
sess = self._get_session_info(sid) sess = self._get_session_info(sid)
if len(clientdict) > 0: if len(clientdict) > 0:
sess['clientdict'] = clientdict # This was designed to allow the client to omit the parameters
self._save_session(sess) # and just supply the session in subsequent calls so it split
# auth between devices by just sharing the session, (eg. so you
# could continue registration from your phone having clicked the
# email auth link on there). It's probably too open to abuse
# because it lets unauthenticated clients store arbitrary objects
# on a home server.
#sess['clientdict'] = clientdict
#self._save_session(sess)
pass
elif 'clientdict' in sess: elif 'clientdict' in sess:
clientdict = sess['clientdict'] clientdict = sess['clientdict']