I'm not sure how "safe" it really is, and I'm interested in what you find. I will say I took I took a look at what goes on with a normal login, ultimately the session variables get set at cookie setting time, so I figured it was a good path to go here. I get that setting the variables unchecked has risk of interception on the way back from the API, but isn't that really the same risk as passing a password through POST? I hope this passes, though since I know that cookie handling is a peeve of mine in Ruby, and I think others would like to see this implemented, too. Thanks for looking at it.
Eddie On Nov 2, 2007, at 6:48 PM, Yuri Astrakhan wrote: > Is setting session variables directly with the values provided by a > client is safe? Shouldn't there be some check first? Just a thought, > need to double check. > > --Yuri > > On 11/2/07, Eddie Roger <[EMAIL PROTECTED]> wrote: >> Roan, >> >> Thanks. Hope this works. >> >> Eddie >> >> On 11/2/07, Roan Kattouw <[EMAIL PROTECTED]> wrote: >>> Eddie Roger schreef: >>>> But, being new to shared development like this, I've never >>>> submitted anything >>>> before. How can I submit a patch? >>> Just e-mail it and I'll test and commit it for you. >>> >>> Roan Kattouw >>> >>> _______________________________________________ >>> Mediawiki-api mailing list >>> [email protected] >>> http://lists.wikimedia.org/mailman/listinfo/mediawiki-api >>> >> >> _______________________________________________ >> Mediawiki-api mailing list >> [email protected] >> http://lists.wikimedia.org/mailman/listinfo/mediawiki-api >> >> >> > > _______________________________________________ > Mediawiki-api mailing list > [email protected] > http://lists.wikimedia.org/mailman/listinfo/mediawiki-api _______________________________________________ Mediawiki-api mailing list [email protected] http://lists.wikimedia.org/mailman/listinfo/mediawiki-api
