Hello, everyone. For the past couple of days, I have been working on an extension called Flask-Login, which handles user session management (but not authentication or permissions). All it does is log people in, log people out, and provide a `login_required` decorator. It also has "Remember Me" functionality, which is nice. The API and general method of operation is inspired by django.contrib.auth. The code is available on http://bitbucket.org/leafstorm/flask-login/, and I would appreciate feedback. Right now, there are two things blocking me from making a release: 1. While there are unit tests (using Attest) for most of the functionality, the "remember me" functionality does not have any automated tests. (I am not very good at writing tests for complicated Web things like that, so if someone could help out, it would be greatly appreciated.) 2. While users *tampering* with the "remember me" cookie is prevented thanks to the magic of HMAC, currently the cookies are not particularly secure. I have two enhancements planned which should help increase security. The first is a `require_fresh_login` decorator. If the user's session is reloaded from the "remember me" cookie, `require_fresh_login` will force them to reauthenticate before accessing the protected page. This would help combat token theft (though if OpenID is used, Armin's blog post [1] still applies). The second is allowing user objects to have a `get_auth_token` method that returns something more suitable (like a hash combination of the username and password) and a corresponding `token_loader` that would load a user by their token instead of their ID. Anyway, please tell me what you think of the code. [1] http://lucumr.pocoo.org/2010/8/18/the-lazy-user-is-openid-s-security-issue/ -- Regards, Matthew "LeafStorm" Frazier http://leafstorm.us/
Héllo Matthew, 2. While users *tampering* with the "remember me" cookie is prevented > thanks to the magic of HMAC, currently the cookies are not particularly > secure. I have two enhancements planned which should help increase > security. > Could you explain a bit about this, why didn't you just inherited the SecureCookie like it's done in Flask for Session ? What are the enchancements you are planning ? Regards, Amirouche aka. abki
On 06/26/2011 07:00 PM, Amirouche Boubekki wrote: > Héllo Matthew, > > 2. While users *tampering* with the "remember me" cookie is prevented > thanks to the magic of HMAC, currently the cookies are not particularly > secure. I have two enhancements planned which should help increase > security. > > > Could you explain a bit about this, why didn't you just inherited the > SecureCookie like it's done in Flask for Session ? What are the > enchancements you are planning ? One of the enhancements was "Session Protection." It basically stores a fingerprint of the user's browser (user agent + IP address). If either the user agent or the IP address changes, the session will be either marked non-fresh or discarded entirely, depending on the application's settings. Non-fresh sessions will not pass the `require_fresh_login` decorator, which it is assumed will be used to protect sensitive functions like account settings. That one made it into 0.1. The other one, I did not end up implementing, as it would require considerable amounts of infrastructure to support. Basically, it would generate unique tokens for each user session, and whenever a person attempted to be remembered, it would discard the old session token and create a new one. The reason that I did not inherit SecureCookie is that SecureCookie is designed for storing key-value data in a dictionary, and all I needed was to store some text. Using SecureCookie would have required me to work around most of its functionality, and implementing an HMAC-based cookie from scratch turned out to be easier. > Regards, > > Amirouche aka. abki -- Regards, Matthew "LeafStorm" Frazier http://leafstorm.us/
> One of the enhancements was "Session Protection." It basically stores a > fingerprint of the user's browser (user agent + IP address). How can this work with dynamic IP ? > The other one, I did not end up implementing, as it would require > considerable amounts of infrastructure to support. Basically, it would > generate unique tokens for each user session, and whenever a person > attempted to be remembered, it would discard the old session token and > create a new one. > This looks like a feature gmail has. In gmail you can discard all you current session. I don't think it should be default, Flask-Login should just provide the feature. > The reason that I did not inherit SecureCookie is that SecureCookie is > designed for storing key-value data in a dictionary, and all I needed > was to store some text. Using SecureCookie would have required me to > work around most of its functionality, and implementing an HMAC-based > cookie from scratch turned out to be easier. > I understand that you wanted you implementation to be efficient since key/value "store" can also store text, doesn't it ? In the code you use this: #: A proxy for the current user.current_user = LocalProxy(lambda: _request_ctx_stack.top.user) If I understood the proxy thing well, you'd rather do the same thing flask [1] does which is: current_user = LocalProxy(partial(_lookup_object, 'user')) I would like to propose to add a `get_local` function to Flask extensions developper that would will be def get_local(name): return LocalProxy(partial(_lookup_object, name)) you would do current_user = get_local('user') This way it's clear for extensions developpers how to make a request-like objects available. What do you think ? Regards, Amirouche aka. abki. [1] https://github.com/mitsuhiko/flask/blob/master/flask/globals.py
> > One of the enhancements was "Session Protection." It basically stores a >> fingerprint of the user's browser (user agent + IP address). > > > How can this work with dynamic IP ? > Please correct me if I'm wrong but, IP's don't change that often and worst case scenario is they have to log back in.
2011/6/29 Adam Patterson <fakeempire@gmail.com> > One of the enhancements was "Session Protection." It basically stores a >>> fingerprint of the user's browser (user agent + IP address). >> >> >> How can this work with dynamic IP ? >> > > Please correct me if I'm wrong but, IP's don't change that often and worst > case scenario is they have to log back in. > I don't know myself how dynamic it is.
On Wed, Jun 29, 2011 at 10:14 AM, Amirouche Boubekki < amirouche.boubekki@gmail.com> wrote: > > > 2011/6/29 Adam Patterson <fakeempire@gmail.com> > >> One of the enhancements was "Session Protection." It basically stores a >>>> fingerprint of the user's browser (user agent + IP address). >>> >>> >>> How can this work with dynamic IP ? >>> >> >> Please correct me if I'm wrong but, IP's don't change that often and worst >> case scenario is they have to log back in. >> > > I don't know myself how dynamic it is. > Most setups with dynamic IPs use DHCP and under normal circumstances an IP address won't change as long as a computer (or router) is turned on and connected to the network. Also, most people are connected to private networks that funnel out of a single public IP address so if your private network IP address changes then you still have the same public IP address to the rest of the world. But if your app being served on the same internal network, then that won't help you much.
On a mobile device, one's IP is constantly changing. Every Wi-Fi connection, 3G, 4G, Edge and the plethora of other ways phones get on the web will get you a new ip. Dial-up users also suffer from dynamic ip disease. Oh and folks who work out of their laptops in various internet cafes or just someone on the road. On Wed, Jun 29, 2011 at 12:13 PM, Andy Wilson <wilson.andrew.j@gmail.com>wrote: > > > On Wed, Jun 29, 2011 at 10:14 AM, Amirouche Boubekki < > amirouche.boubekki@gmail.com> wrote: > >> >> >> 2011/6/29 Adam Patterson <fakeempire@gmail.com> >> >>> One of the enhancements was "Session Protection." It basically stores a >>>>> fingerprint of the user's browser (user agent + IP address). >>>> >>>> >>>> How can this work with dynamic IP ? >>>> >>> >>> Please correct me if I'm wrong but, IP's don't change that often and >>> worst case scenario is they have to log back in. >>> >> >> I don't know myself how dynamic it is. >> > > Most setups with dynamic IPs use DHCP and under normal circumstances an IP > address won't change as long as a computer (or router) is turned on and > connected to the network. > > Also, most people are connected to private networks that funnel out of a > single public IP address so if your private network IP address changes then > you still have the same public IP address to the rest of the world. But if > your app being served on the same internal network, then that won't help you > much. >
On Wed, Jun 29, 2011 at 11:22 AM, Philip Cammarata <philip@cammarata.me>wrote: > On a mobile device, one's IP is constantly changing. Every Wi-Fi > connection, 3G, 4G, Edge and the plethora of other ways phones get on the > web will get you a new ip. Dial-up users also suffer from dynamic > ip disease. Oh and folks who work out of their laptops in various internet > cafes or just someone on the road. Oh yeah, I wasn't thinking about mobile. In any case, being able to configure how you want to behave when dealing with "fresh" sessions and non-fresh sessions is quite brilliant.
And actually, some isp's use a 5min dhcp refresh. My ip changes about once or twice a day. Cell phone ips change a lot when moving between cell sites (public transportation). Some corp proxy servers do this, too, or load-balancing NAT routers. Incorporating an IP address *can* be a factor of disqualifying the "trustiness" of a session, but it *shouldn't* be a writ-fast rule that a changing ip invalidates a session. Detecting MITM attacks on an unsecured channel isn't something that can be detected by factoring in an IP address. Detecting a MITM attack on a secured session is outside of the reasonable scope of a session module. Cost > benefit. -sc -- Sean Chittenden On Jun 29, 2011, at 9:22, Philip Cammarata <philip@cammarata.me> wrote: > On a mobile device, one's IP is constantly changing. Every Wi-Fi connection, 3G, 4G, Edge and the plethora of other ways phones get on the web will get you a new ip. Dial-up users also suffer from dynamic ip disease. Oh and folks who work out of their laptops in various internet cafes or just someone on the road. > > On Wed, Jun 29, 2011 at 12:13 PM, Andy Wilson <wilson.andrew.j@gmail.com> wrote: > > > On Wed, Jun 29, 2011 at 10:14 AM, Amirouche Boubekki <amirouche.boubekki@gmail.com> wrote: > > > 2011/6/29 Adam Patterson <fakeempire@gmail.com> > One of the enhancements was "Session Protection." It basically stores a > fingerprint of the user's browser (user agent + IP address). > > How can this work with dynamic IP ? > > Please correct me if I'm wrong but, IP's don't change that often and worst case scenario is they have to log back in. > > I don't know myself how dynamic it is. > > Most setups with dynamic IPs use DHCP and under normal circumstances an IP address won't change as long as a computer (or router) is turned on and connected to the network. > > Also, most people are connected to private networks that funnel out of a single public IP address so if your private network IP address changes then you still have the same public IP address to the rest of the world. But if your app being served on the same internal network, then that won't help you much. >
Most DHCP leases are 8 hour or more (and keep renewing). This shouldn't be an issue. On Wed, Jun 29, 2011 at 10:14 AM, Amirouche Boubekki < amirouche.boubekki@gmail.com> wrote: > > > 2011/6/29 Adam Patterson <fakeempire@gmail.com> > >> One of the enhancements was "Session Protection." It basically stores a >>>> fingerprint of the user's browser (user agent + IP address). >>> >>> >>> How can this work with dynamic IP ? >>> >> >> Please correct me if I'm wrong but, IP's don't change that often and worst >> case scenario is they have to log back in. >> > > I don't know myself how dynamic it is. >
I'm also interested in this question Matthew. Also, thank you for your work. On Sun, Jun 26, 2011 at 6:00 PM, Amirouche Boubekki < amirouche.boubekki@gmail.com> wrote: > Héllo Matthew, > > 2. While users *tampering* with the "remember me" cookie is prevented >> thanks to the magic of HMAC, currently the cookies are not particularly >> secure. I have two enhancements planned which should help increase >> security. >> > > Could you explain a bit about this, why didn't you just inherited the > SecureCookie like it's done in Flask for Session ? What are the > enchancements you are planning ? > > Regards, > > Amirouche aka. abki >
Dear Matthew, Thank you! :) This should speed up coding as auth is a basic functionality everyone at some point would need to implement. Thanks again. Looking fwd to first release. Abdul On 01/06/11 00:11, Matthew Frazier wrote: > Hello, everyone. > > For the past couple of days, I have been working on an extension called > Flask-Login, which handles user session management (but not > authentication or permissions). All it does is log people in, log people > out, and provide a `login_required` decorator. It also has "Remember Me" > functionality, which is nice. The API and general method of operation is > inspired by django.contrib.auth. > > The code is available on http://bitbucket.org/leafstorm/flask-login/, > and I would appreciate feedback. Right now, there are two things > blocking me from making a release: > > 1. While there are unit tests (using Attest) for most of the > functionality, the "remember me" functionality does not have any > automated tests. (I am not very good at writing tests for complicated > Web things like that, so if someone could help out, it would be greatly > appreciated.) > > 2. While users *tampering* with the "remember me" cookie is prevented > thanks to the magic of HMAC, currently the cookies are not particularly > secure. I have two enhancements planned which should help increase security. > > The first is a `require_fresh_login` decorator. If the user's session is > reloaded from the "remember me" cookie, `require_fresh_login` will force > them to reauthenticate before accessing the protected page. This would > help combat token theft (though if OpenID is used, Armin's blog post [1] > still applies). > > The second is allowing user objects to have a `get_auth_token` method > that returns something more suitable (like a hash combination of the > username and password) and a corresponding `token_loader` that would > load a user by their token instead of their ID. > > Anyway, please tell me what you think of the code. > > [1] > http://lucumr.pocoo.org/2010/8/18/the-lazy-user-is-openid-s-security-issue/
Thank you for this code, I really like the idea and the simple API. I look forward for the first release. Alex On Wed, Jun 1, 2011 at 12:11 AM, Matthew Frazier <leafstormrush@gmail.com> wrote: > Hello, everyone. > > For the past couple of days, I have been working on an extension called > Flask-Login, which handles user session management (but not > authentication or permissions). All it does is log people in, log people > out, and provide a `login_required` decorator. It also has "Remember Me" > functionality, which is nice. The API and general method of operation is > inspired by django.contrib.auth. > > The code is available on http://bitbucket.org/leafstorm/flask-login/, > and I would appreciate feedback. Right now, there are two things > blocking me from making a release: > > 1. While there are unit tests (using Attest) for most of the > functionality, the "remember me" functionality does not have any > automated tests. (I am not very good at writing tests for complicated > Web things like that, so if someone could help out, it would be greatly > appreciated.) > > 2. While users *tampering* with the "remember me" cookie is prevented > thanks to the magic of HMAC, currently the cookies are not particularly > secure. I have two enhancements planned which should help increase security. > > The first is a `require_fresh_login` decorator. If the user's session is > reloaded from the "remember me" cookie, `require_fresh_login` will force > them to reauthenticate before accessing the protected page. This would > help combat token theft (though if OpenID is used, Armin's blog post [1] > still applies). > > The second is allowing user objects to have a `get_auth_token` method > that returns something more suitable (like a hash combination of the > username and password) and a corresponding `token_loader` that would > load a user by their token instead of their ID. > > Anyway, please tell me what you think of the code. > > [1] > http://lucumr.pocoo.org/2010/8/18/the-lazy-user-is-openid-s-security-issue/ > -- > Regards, Matthew "LeafStorm" Frazier > http://leafstorm.us/ >
The API looks nice. This kind of lib definitely have a place with other FlaskExt. Keep up the good work ! On Wed, Jun 1, 2011 at 9:21 AM, Alex <thinkpragmatic@gmail.com> wrote: > Thank you for this code, I really like the idea and the simple API. I > look forward for the first release. > > Alex > > On Wed, Jun 1, 2011 at 12:11 AM, Matthew Frazier > <leafstormrush@gmail.com> wrote: >> Hello, everyone. >> >> For the past couple of days, I have been working on an extension called >> Flask-Login, which handles user session management (but not >> authentication or permissions). All it does is log people in, log people >> out, and provide a `login_required` decorator. It also has "Remember Me" >> functionality, which is nice. The API and general method of operation is >> inspired by django.contrib.auth. >> >> The code is available on http://bitbucket.org/leafstorm/flask-login/, >> and I would appreciate feedback. Right now, there are two things >> blocking me from making a release: >> >> 1. While there are unit tests (using Attest) for most of the >> functionality, the "remember me" functionality does not have any >> automated tests. (I am not very good at writing tests for complicated >> Web things like that, so if someone could help out, it would be greatly >> appreciated.) >> >> 2. While users *tampering* with the "remember me" cookie is prevented >> thanks to the magic of HMAC, currently the cookies are not particularly >> secure. I have two enhancements planned which should help increase security. >> >> The first is a `require_fresh_login` decorator. If the user's session is >> reloaded from the "remember me" cookie, `require_fresh_login` will force >> them to reauthenticate before accessing the protected page. This would >> help combat token theft (though if OpenID is used, Armin's blog post [1] >> still applies). >> >> The second is allowing user objects to have a `get_auth_token` method >> that returns something more suitable (like a hash combination of the >> username and password) and a corresponding `token_loader` that would >> load a user by their token instead of their ID. >> >> Anyway, please tell me what you think of the code. >> >> [1] >> http://lucumr.pocoo.org/2010/8/18/the-lazy-user-is-openid-s-security-issue/ >> -- >> Regards, Matthew "LeafStorm" Frazier >> http://leafstorm.us/ >> >
I've posted an entry to my blog "Flask Extensions For Authorization with Examples" if anyone would care to peer review. I'm also looking for 'roll your own' examples if you'd care to send them to me. Regards, Col On Wed, Jun 1, 2011 at 9:36 AM, Nicolas Clairon <clairon@gmail.com> wrote: > The API looks nice. This kind of lib definitely have a place with > other FlaskExt. > > Keep up the good work ! > > On Wed, Jun 1, 2011 at 9:21 AM, Alex <thinkpragmatic@gmail.com> wrote: > > Thank you for this code, I really like the idea and the simple API. I > > look forward for the first release. > > > > Alex > > > > On Wed, Jun 1, 2011 at 12:11 AM, Matthew Frazier > > <leafstormrush@gmail.com> wrote: > >> Hello, everyone. > >> > >> For the past couple of days, I have been working on an extension called > >> Flask-Login, which handles user session management (but not > >> authentication or permissions). All it does is log people in, log people > >> out, and provide a `login_required` decorator. It also has "Remember Me" > >> functionality, which is nice. The API and general method of operation is > >> inspired by django.contrib.auth. > >> > >> The code is available on http://bitbucket.org/leafstorm/flask-login/, > >> and I would appreciate feedback. Right now, there are two things > >> blocking me from making a release: > >> > >> 1. While there are unit tests (using Attest) for most of the > >> functionality, the "remember me" functionality does not have any > >> automated tests. (I am not very good at writing tests for complicated > >> Web things like that, so if someone could help out, it would be greatly > >> appreciated.) > >> > >> 2. While users *tampering* with the "remember me" cookie is prevented > >> thanks to the magic of HMAC, currently the cookies are not particularly > >> secure. I have two enhancements planned which should help increase > security. > >> > >> The first is a `require_fresh_login` decorator. If the user's session is > >> reloaded from the "remember me" cookie, `require_fresh_login` will force > >> them to reauthenticate before accessing the protected page. This would > >> help combat token theft (though if OpenID is used, Armin's blog post [1] > >> still applies). > >> > >> The second is allowing user objects to have a `get_auth_token` method > >> that returns something more suitable (like a hash combination of the > >> username and password) and a corresponding `token_loader` that would > >> load a user by their token instead of their ID. > >> > >> Anyway, please tell me what you think of the code. > >> > >> [1] > >> > http://lucumr.pocoo.org/2010/8/18/the-lazy-user-is-openid-s-security-issue/ > >> -- > >> Regards, Matthew "LeafStorm" Frazier > >> http://leafstorm.us/ > >> > > >
Could you provide a link to your blog? On Wed, Jun 15, 2011 at 3:34 PM, Col Wilson <colwilson@bcs.org> wrote: > I've posted an entry to my blog "Flask Extensions For Authorization with > Examples" if anyone would care to peer review. > > I'm also looking for 'roll your own' examples if you'd care to send them to > me. > > Regards, Col > > > On Wed, Jun 1, 2011 at 9:36 AM, Nicolas Clairon <clairon@gmail.com> wrote: > >> The API looks nice. This kind of lib definitely have a place with >> other FlaskExt. >> >> Keep up the good work ! >> >> On Wed, Jun 1, 2011 at 9:21 AM, Alex <thinkpragmatic@gmail.com> wrote: >> > Thank you for this code, I really like the idea and the simple API. I >> > look forward for the first release. >> > >> > Alex >> > >> > On Wed, Jun 1, 2011 at 12:11 AM, Matthew Frazier >> > <leafstormrush@gmail.com> wrote: >> >> Hello, everyone. >> >> >> >> For the past couple of days, I have been working on an extension called >> >> Flask-Login, which handles user session management (but not >> >> authentication or permissions). All it does is log people in, log >> people >> >> out, and provide a `login_required` decorator. It also has "Remember >> Me" >> >> functionality, which is nice. The API and general method of operation >> is >> >> inspired by django.contrib.auth. >> >> >> >> The code is available on http://bitbucket.org/leafstorm/flask-login/, >> >> and I would appreciate feedback. Right now, there are two things >> >> blocking me from making a release: >> >> >> >> 1. While there are unit tests (using Attest) for most of the >> >> functionality, the "remember me" functionality does not have any >> >> automated tests. (I am not very good at writing tests for complicated >> >> Web things like that, so if someone could help out, it would be greatly >> >> appreciated.) >> >> >> >> 2. While users *tampering* with the "remember me" cookie is prevented >> >> thanks to the magic of HMAC, currently the cookies are not particularly >> >> secure. I have two enhancements planned which should help increase >> security. >> >> >> >> The first is a `require_fresh_login` decorator. If the user's session >> is >> >> reloaded from the "remember me" cookie, `require_fresh_login` will >> force >> >> them to reauthenticate before accessing the protected page. This would >> >> help combat token theft (though if OpenID is used, Armin's blog post >> [1] >> >> still applies). >> >> >> >> The second is allowing user objects to have a `get_auth_token` method >> >> that returns something more suitable (like a hash combination of the >> >> username and password) and a corresponding `token_loader` that would >> >> load a user by their token instead of their ID. >> >> >> >> Anyway, please tell me what you think of the code. >> >> >> >> [1] >> >> >> http://lucumr.pocoo.org/2010/8/18/the-lazy-user-is-openid-s-security-issue/ >> >> -- >> >> Regards, Matthew "LeafStorm" Frazier >> >> http://leafstorm.us/ >> >> >> > >> > > -- Regards, ------------------------------------ Alessio Civitillo alessiocivitillo@gmail.com Mobile: (0045) 52645608 Linkedin: http://it.linkedin.com/in/alessiocivitillo
Sorry, http://terse-words.blogspot.com/ On Wed, Jun 15, 2011 at 2:50 PM, Alessio Civitillo < alessiocivitillo@gmail.com> wrote: > Could you provide a link to your blog? > > > On Wed, Jun 15, 2011 at 3:34 PM, Col Wilson <colwilson@bcs.org> wrote: > >> I've posted an entry to my blog "Flask Extensions For Authorization with >> Examples" if anyone would care to peer review. >> >> I'm also looking for 'roll your own' examples if you'd care to send them >> to me. >> >> Regards, Col >> >> >> On Wed, Jun 1, 2011 at 9:36 AM, Nicolas Clairon <clairon@gmail.com>wrote: >> >>> The API looks nice. This kind of lib definitely have a place with >>> other FlaskExt. >>> >>> Keep up the good work ! >>> >>> On Wed, Jun 1, 2011 at 9:21 AM, Alex <thinkpragmatic@gmail.com> wrote: >>> > Thank you for this code, I really like the idea and the simple API. I >>> > look forward for the first release. >>> > >>> > Alex >>> > >>> > On Wed, Jun 1, 2011 at 12:11 AM, Matthew Frazier >>> > <leafstormrush@gmail.com> wrote: >>> >> Hello, everyone. >>> >> >>> >> For the past couple of days, I have been working on an extension >>> called >>> >> Flask-Login, which handles user session management (but not >>> >> authentication or permissions). All it does is log people in, log >>> people >>> >> out, and provide a `login_required` decorator. It also has "Remember >>> Me" >>> >> functionality, which is nice. The API and general method of operation >>> is >>> >> inspired by django.contrib.auth. >>> >> >>> >> The code is available on http://bitbucket.org/leafstorm/flask-login/, >>> >> and I would appreciate feedback. Right now, there are two things >>> >> blocking me from making a release: >>> >> >>> >> 1. While there are unit tests (using Attest) for most of the >>> >> functionality, the "remember me" functionality does not have any >>> >> automated tests. (I am not very good at writing tests for complicated >>> >> Web things like that, so if someone could help out, it would be >>> greatly >>> >> appreciated.) >>> >> >>> >> 2. While users *tampering* with the "remember me" cookie is prevented >>> >> thanks to the magic of HMAC, currently the cookies are not >>> particularly >>> >> secure. I have two enhancements planned which should help increase >>> security. >>> >> >>> >> The first is a `require_fresh_login` decorator. If the user's session >>> is >>> >> reloaded from the "remember me" cookie, `require_fresh_login` will >>> force >>> >> them to reauthenticate before accessing the protected page. This would >>> >> help combat token theft (though if OpenID is used, Armin's blog post >>> [1] >>> >> still applies). >>> >> >>> >> The second is allowing user objects to have a `get_auth_token` method >>> >> that returns something more suitable (like a hash combination of the >>> >> username and password) and a corresponding `token_loader` that would >>> >> load a user by their token instead of their ID. >>> >> >>> >> Anyway, please tell me what you think of the code. >>> >> >>> >> [1] >>> >> >>> http://lucumr.pocoo.org/2010/8/18/the-lazy-user-is-openid-s-security-issue/ >>> >> -- >>> >> Regards, Matthew "LeafStorm" Frazier >>> >> http://leafstorm.us/ >>> >> >>> > >>> >> >> > > > -- > Regards, > ------------------------------------ > Alessio Civitillo > alessiocivitillo@gmail.com > Mobile: (0045) 52645608 > Linkedin: http://it.linkedin.com/in/alessiocivitillo >