[geeklog-devel] Prototype fix for expiring security tokens (was: geeklog: Experimental: Give the user an idea how long they have ...)

Joe Mucchiello joe at ThrowingDice.com
Sun Dec 20 15:04:59 EST 2009


At 02:16 PM 12/20/2009, you wrote:
>Feedback welcome.

The urlencode() of the post and get data should actually call 
htmlspecialchars(). There aren't being placed in a url. They are 
being placed in html. Personally, I base64 then so you know there are 
no special chars but that's just me.

It would be nice if there were a parameter to SEC_checkToken which 
would bypass the builtin security check. A plugin author might have 
reason to disallow the relogin. (Why? Who knows? But it doesn't hurt 
to allow it.)

function SEC_checkToken($handle_relogin = true)
{
     global $LANG20;

     if (SECINT_checkToken()) {
         return true;
     } else if (!$handle_relogin) {
         return false;
     }
...

If you saved the post/get data to the database you could support 
OpenID. But that code would probably be a bit convoluted.


----
Joe Mucchiello
Throwing Dice Games
http://www.throwingdice.com 




More information about the geeklog-devel mailing list