openconnect_clear_cookie()
Nikos Mavrogiannopoulos
n.mavrogiannopoulos at gmail.com
Fri Oct 10 04:13:09 PDT 2014
On Fri, Oct 10, 2014 at 12:35 PM, David Woodhouse <dwmw2 at infradead.org> wrote:
> On Fri, 2014-10-10 at 11:39 +0200, Nikos Mavrogiannopoulos wrote:
>> Hello,
>> It seems that openconnect_clear_cookie() only clears the cookie used
>> for authentication. Shouldn't that also clear any other cookies sent
>> by the server, i.e., call clear_cookies() as well? Otherwise there is
>> no other way to clear the server's state and retry.
>>
>> My use case is a server (ocserv) on which I tried a password which is
>> no longer valid. In order to retry a user-provided password I need to
>> clear all server's state (e.g., cookies), and there is no way to do
>> that as I see. Would it make sense to extend
>> openconnect_clear_cookie() for that?
> Hm, isn't openconnect_clear_cookie() just one of those semi-pointless
> security things to avoid leaving the cookie around in memory after we're
> done?
> I think what you actually want is openconnect_reset_ssl(), which has
> been used for 'reset everything to base state' by the NetorkManager
> auth-dialog since the beginning.
It doesn't clear the cookies though :(
More information about the openconnect-devel
mailing list