On Wed, Sep 20, 2000 at 09:53:24PM +0930, Brett Lymn wrote:
> According to Corey R. Halpin:
> >
> >  Ok, tokens can be saved across reboots with the clog -tofile option.
> >  what happens if I take my laptop home for more than 25 hours?  Say, a week.  
> >After the 1st 25 hours, is there a way for me to get a new token, or will I be 
> >stuck with a read only home directory?
> >
> 
> No, you will not be stuck with a read only home directory.  I
> regularly go at least 2, up to 5, days without getting a new token
> without problems.  From what I can see, you need a valid token to
> integrate your changes to the server.

Correct, the servers reject the tokens. Clients really have no way of
validating if the given token is good, or just some blob of binary data.

All tokens are encoded using a secret shared between the codaservers and
the auth2 daemon. Giving this secret to the clients would not be very
smart. It might be possible for clients to validate a token when we used
a public key encryption scheme where tokens are signed cleartext and
anybody can validate this signature using the auth2 server's public key.

Jan