[geeklog-devel] [geeklog-cvs] Geeklog-1.x/system lib-admin.php, 1.127, 1.128 lib-security.php, 1.62, 1.63
Michael Jervis
mjervis at gmail.com
Thu Feb 21 15:45:04 EST 2008
> Security Tokens are a great idea. But I think this needs some
> discussion before being considered complete.
You only have part of the picture.
> SEC_createToken($page, $ttl);
TTL may become an argument.
> Make the caller responsible for uniquely naming what page he's on.
> Maybe the page the token is created on isn't the same page the token
> is processed on?
Read the rest of the commit. Run it. Understand it. Then comment.
> Likewise, what is this TTL mapping stuff? Make the caller responsible
> for saying "My page can sit on your browser for no longer than 5
> minutes." Mappings are unfriendly to plugins, too.
TTL not yet implemented or fully figured out. Work in progress.
More information about the geeklog-devel
mailing list