[geeklog-devel] [geeklog-cvs] Geeklog-1.x/system lib-admin.php, 1.127, 1.128 lib-security.php, 1.62, 1.63

Joe Mucchiello joe at ThrowingDice.com
Thu Feb 21 15:36:05 EST 2008

At 02:52 PM 2/21/2008, Michael Jervis wrote:
>+ function SEC_createToken()
>+     /* Create a token for this user/url combination */
>+     /* NOTE: TTL mapping for PageURL not yet implemented */
>+     $sql = "INSERT INTO {$_TABLES['tokens']} (token, created, 
>owner_id, urlfor, ttl) "
>+            . "VALUES ('$token', NOW(), {$_USER['uid']}, '$pageURL', 0)";

I have a simple question. Why is this so specific? Why not:

SEC_createToken($page, $ttl);

Make the caller responsible for uniquely naming what page he's on. 
Maybe the page the token is created on isn't the same page the token 
is processed on?

For example, suppose I had some admin function in a block. The page 
url could be any page but the processor page is going to be in the 
admin directory. That setup cannot use these functions.

Likewise, what is this TTL mapping stuff? Make the caller responsible 
for saying "My page can sit on your browser for no longer than 5 
minutes." Mappings are unfriendly to plugins, too.

Security Tokens are a great idea. But I think this needs some 
discussion before being considered complete.

Joe Mucchiello
Throwing Dice Games

More information about the geeklog-devel mailing list