This commit is contained in:
Kovid Goyal 2012-04-03 18:45:35 +05:30
parent 734a0ba2e2
commit 5955aa775f

View File

@ -69,6 +69,13 @@ class AuthController(object):
cookies are passed to the download process. The cookie expires after cookies are passed to the download process. The cookie expires after
MAX_AGE seconds. MAX_AGE seconds.
The android browser appears to send a GET request to the server and only if
that request succeeds is the download handed off to the download process.
Therefore, even if the user clicks Get after MAX_AGE, it should still work.
In fact, we could reduce MAX_AGE, but we leave it high as the download
process might have downloads queued and therefore not start the download
immediately.
Note that this makes the server vulnerable to session-hijacking (i.e. some Note that this makes the server vulnerable to session-hijacking (i.e. some
one can sniff the traffic and create their own requests to /get with the one can sniff the traffic and create their own requests to /get with the
appropriate cookie, for an hour). The fix is to use https, but since this appropriate cookie, for an hour). The fix is to use https, but since this