Dang. Oh well. I'm attempting this through Ruby methods, so I'll have to get
out some old cookie handling code to deal. Thanks for the answer.
On Dec 4, 2007 9:29 AM, Roan Kattouw <roan.kattouw(a)home.nl> wrote:
Eddie Roger schreef:
but I don't understand the benefit of just
using cookies versus using
tokens, especially for robots. I'm not questioning Brion's decision,
just wondering if there was explanation.
The login token thing was insecure,
because someone could sneak in a URL
like:
api.php?action=something&...&lgtoken=123ABC
With lgtoken being a valid login token, assigned to the attacker's
session. That would force the victim to take over the attacker's
session, and possibly get his IP autoblocked.
Also, I don't understand how to implement his
suggestion - is that
just with cookies now?
Yep, just cookies. See here [1] for an example of how to
login using PHP
and Snoopy.
Roan Kattouw (Catrope)
[1]
http://lists.wikimedia.org/pipermail/mediawiki-api/2007-October/000117.html
_______________________________________________
Mediawiki-api mailing list
Mediawiki-api(a)lists.wikimedia.org
http://lists.wikimedia.org/mailman/listinfo/mediawiki-api