ConsoleKit, PolicyKit, HAL, XDG_SESSION_COOKIE

Lennart Poettering mzqohf at
Wed Jul 28 03:00:38 PDT 2010

On Fri, 23.07.10 11:05, David Zeuthen (zeuthen at wrote:

> Hi,
> On Thu, Jul 22, 2010 at 10:30 PM, Lennart Poettering <mzqohf at> wrote:
> > On Thu, 22.07.10 21:39, Stef Bon (stef at wrote:
> >
> >> >I think the XDG_SESSION_COOKIE should go away and be replaced by the
> >> >audit session id as maintained by the kernel, which however has slightly
> >> >different semantics.
> >>
> >> Why do you think that?
> >
> > Because it is sufficient to maintain one session cookie/id. There's no
> > need to maintain a number of them.
> Remember that in this case $XDG_SESSION_COOKIE was here first. And
> it's also portable to e.g. Solaris, something that mattered more than
> you probably thought it would (check the history of ConsoleKit and why
> we decided to build such a thing).
> Also, IIRC, the audit session id was not world-readable initially -
> actually, Jon (the ConsoleKit developer) asked Steve Grubb for it to
> be world-readable because we wanted to use it instead of
> $XDG_SESSION_COOKIE. In fact, Jon and I always regarded
> $XDG_SESSION_COOKIE as a hack - something we could use until the the
> Linux task structure could give us what we needed.

Oh, this was not meant really as criticism. I am aware of the reasons
behind XDG_SESSION_COOKIE and what I pointed out was mostly reflecting
what I heard from you and Jon. I wasn't trying to be smart, just
answering what was public knowledge before.

The only real criticism I had was about the fact that the alg that is
used to generate the cookie outputs guessable values.


Lennart Poettering - Red Hat, Inc.

More information about the dbus mailing list