[geeklog-devel] Security Tokens
Joe Mucchiello
joe at ThrowingDice.com
Thu Feb 21 16:19:54 EST 2008
At 03:45 PM 2/21/2008, Michael Jervis wrote:
>Read the rest of the commit. Run it. Understand it. Then comment.
I read the whole commit. Plugins have admin pages and thus should
also use this API. Maybe a plugin has more than just index.php in
their admin area and has pages where the url to generate the form
isn't the url that processes the form. That is impossible in your
current implementation. Why make you implementation restrict where I
put my code? A security token API should only fulfill requests for
new tokens and kill old tokens. It shouldn't be the arbiter of context.
So, you could just answer the question. Why is $page read from
$_SERVER fields instead of just being arbitrary text passed into the function?
And if there's a pressing reason against my idea, why didn't you just
call COM_getCurrentURL()? That code is known to work on multiple web servers.
>TTL not yet implemented or fully figured out. Work in progress.
And GL is supposed to be in a feature freeze for the pending 1.5
release. In my professional experience, works in progress are not
checked into during a feature freeze. But what do I know? It's not
like I read the devel mailing list so I'll know what's going on.
----
Joe Mucchiello
Throwing Dice Games
http://www.throwingdice.com
More information about the geeklog-devel
mailing list