[geeklog-devel] Prototype fix for expiring security tokens (was: geeklog: Experimental: Give the user an idea how long they have ...)
Joe Mucchiello
joe at ThrowingDice.com
Sun Dec 20 15:04:59 EST 2009
At 02:16 PM 12/20/2009, you wrote:
>Feedback welcome.
The urlencode() of the post and get data should actually call
htmlspecialchars(). There aren't being placed in a url. They are
being placed in html. Personally, I base64 then so you know there are
no special chars but that's just me.
It would be nice if there were a parameter to SEC_checkToken which
would bypass the builtin security check. A plugin author might have
reason to disallow the relogin. (Why? Who knows? But it doesn't hurt
to allow it.)
function SEC_checkToken($handle_relogin = true)
{
global $LANG20;
if (SECINT_checkToken()) {
return true;
} else if (!$handle_relogin) {
return false;
}
...
If you saved the post/get data to the database you could support
OpenID. But that code would probably be a bit convoluted.
----
Joe Mucchiello
Throwing Dice Games
http://www.throwingdice.com
More information about the geeklog-devel
mailing list