Eddie Roger schreef: > but I don't understand the benefit of just using cookies versus using > tokens, especially for robots. I'm not questioning Brion's decision, > just wondering if there was explanation. The login token thing was insecure, because someone could sneak in a URL like: api.php?action=something&...&lgtoken=123ABC With lgtoken being a valid login token, assigned to the attacker's session. That would force the victim to take over the attacker's session, and possibly get his IP autoblocked. > Also, I don't understand how to implement his suggestion - is that > just with cookies now? Yep, just cookies. See here [1] for an example of how to login using PHP and Snoopy.
Roan Kattouw (Catrope) [1] http://lists.wikimedia.org/pipermail/mediawiki-api/2007-October/000117.html _______________________________________________ Mediawiki-api mailing list [email protected] http://lists.wikimedia.org/mailman/listinfo/mediawiki-api
