[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Connect with existing ID
If the ClientId represents a client already connected to the server then the server MUST disconnect the existing client.
Isn't this a bit of a security hole? If I can guess a ClientID I can disconnect it. If there is anyone using the clientId as a topic for replies and relying on clientId for security (e.g. in Mosquitto's ACL %c to match the client id of the client), then this is also a security hole.
Can anyone comment?
Paul
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]