[geeklog-devel] [geeklog-cvs] Geeklog-1.x/system lib-admin.php, 1.127, 1.128 lib-security.php, 1.62, 1.63
Joe Mucchiello
joe at ThrowingDice.com
Thu Feb 21 15:36:05 EST 2008
At 02:52 PM 2/21/2008, Michael Jervis wrote:
>+ function SEC_createToken()
>+
>+ /* Create a token for this user/url combination */
>+ /* NOTE: TTL mapping for PageURL not yet implemented */
>+ $sql = "INSERT INTO {$_TABLES['tokens']} (token, created,
>owner_id, urlfor, ttl) "
>+ . "VALUES ('$token', NOW(), {$_USER['uid']}, '$pageURL', 0)";
I have a simple question. Why is this so specific? Why not:
SEC_createToken($page, $ttl);
Make the caller responsible for uniquely naming what page he's on.
Maybe the page the token is created on isn't the same page the token
is processed on?
For example, suppose I had some admin function in a block. The page
url could be any page but the processor page is going to be in the
admin directory. That setup cannot use these functions.
Likewise, what is this TTL mapping stuff? Make the caller responsible
for saying "My page can sit on your browser for no longer than 5
minutes." Mappings are unfriendly to plugins, too.
Security Tokens are a great idea. But I think this needs some
discussion before being considered complete.
----
Joe Mucchiello
Throwing Dice Games
http://www.throwingdice.com
More information about the geeklog-devel
mailing list