[geeklog-devel] [geeklog-cvs] Geeklog-1.x/system lib-admin.php, 1.127, 1.128 lib-security.php, 1.62, 1.63

Michael Jervis mjervis at gmail.com
Thu Feb 21 15:45:04 EST 2008


>  Security Tokens are a great idea. But I think this needs some
>  discussion before being considered complete.

You only have part of the picture.

>  SEC_createToken($page, $ttl);

TTL may become an argument.

>  Make the caller responsible for uniquely naming what page he's on.
>  Maybe the page the token is created on isn't the same page the token
>  is processed on?

Read the rest of the commit. Run it. Understand it. Then comment.

>  Likewise, what is this TTL mapping stuff? Make the caller responsible
>  for saying "My page can sit on your browser for no longer than 5
>  minutes." Mappings are unfriendly to plugins, too.

TTL not yet implemented or fully figured out. Work in progress.



More information about the geeklog-devel mailing list