Yuri Astrakhan wrote: > I would like some feedback on the issue of how to allow API users to > prove who they are without using a cookie (some clients simply do not > support them), but instead pass all relevant information in the > URL/POST. > > The login api module returns userID, userName, and userToken - all > necessary parts of a cookie. The client should be able to pass those > values in the URL, which should override the browser cookie (or lack > thereof), and instead resume the session specified. > > The $_SESSION object gets initialized based on the cookie before the > php code starts. In order to resume the session, I could set > $_SESSION['wsUserID'], $_SESSION['wsUserName'], $_SESSION['wsToken'] > to the URL values, and set $wgUser = User::newFromSession() before any > other operations. > > Does this introduce any security risks? Is there another way to solve this? > > Thanks!
Passing them as GET is always dangerous (having wsToken you can log in without the password). I don't see how would that help cookie-less clients, which anyway would be rare (some example of them?) as you still need the session cookie (at least for editing). I had to add a dummy edit-request to my code to get it. I'm not so sure that you can _resume_ sessions without the session-id. Maybe add a login action wich outputs the session instead? (and add a parameter to treat as a cookie). _______________________________________________ Mediawiki-api mailing list [email protected] http://lists.wikimedia.org/mailman/listinfo/mediawiki-api
