[geeklog-devel] Security Tokens

Joe Mucchiello joe at ThrowingDice.com
Thu Feb 21 16:19:54 EST 2008

At 03:45 PM 2/21/2008, Michael Jervis wrote:

>Read the rest of the commit. Run it. Understand it. Then comment.

I read the whole commit. Plugins have admin pages and thus should 
also use this API. Maybe a plugin has more than just index.php in 
their admin area and has pages where the url to generate the form 
isn't the url that processes the form. That is impossible in your 
current implementation. Why make you implementation restrict where I 
put my code? A security token API should only fulfill requests for 
new tokens and kill old tokens. It shouldn't be the arbiter of context.

So, you could just answer the question. Why is $page read from 
$_SERVER fields instead of just being arbitrary text passed into the function?

And if there's a pressing reason against my idea, why didn't you just 
call COM_getCurrentURL()? That code is known to work on multiple web servers.

>TTL not yet implemented or fully figured out. Work in progress.

And GL is supposed to be in a feature freeze for the pending 1.5 
release. In my professional experience, works in progress are not 
checked into during a feature freeze. But what do I know? It's not 
like I read the devel mailing list so I'll know what's going on.

Joe Mucchiello
Throwing Dice Games

More information about the geeklog-devel mailing list