https://bugzilla.wikimedia.org/show_bug.cgi?id=27309

--- Comment #9 from T. Gries <m...@tgries.de> 2011-02-10 23:58:31 UTC ---
> There is nothing more secure about prefixing internal $_SESSION data with a
> cookie prefix. The fact that you have this conflict means that these wikis
> already know each other's $_SESSION (which they SHOULD NOT), THAT is insecure,
> prefixing keys we use inside $_SESSION WILL NOT fix that making it more 
> secure,
> because both wikis will still be able to access each other's session data. The
> only proper thing to do is to properly make use of http's cookie domain and
> cookie path to restrict cookies so that the two wikis do not have access to
> each other's session data.
Yes, you are right - as said before - I admit. But there's is also nothing
wrong in adding $wgCookiePrefix .

-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.

_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to