-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Yesterday, Werdna and Tim committed some initial code for adding shared
login session state to CentralAuth. The promise of this is that not only
do you have the same login state on multiple wikis, but you only have to
go through the login form once -- your login will be active on the other
sites as well.
There are two parts to this:
1) Central session data is maintained alongside the local sessions.
A cookie with the session key (or long-term login token) is shared
across an entire domain (say,
wikipedia.org), letting all wikis on that
domain initialize their local sessions when you navigate to them.
2) On login, the central session cookies are set at multiple mid-level
domains.
This is done by loading a special login URL at each domain as an inline
image; that then sets a cookie for its domain as it's loaded. This
allows us to set, for instance, a cookie for
wiktionary.org when you
logged in from
wikipedia.org.
I've been doing some code review, local testing, and tweaking. The
general theory is reasonably sound though I have some concerns and notes...
Security:
The sessions are set on other domains by passing an internal token value
on a URL -- an unencrypted HTTP GET request. It's bad enough we're still
passing all kinds of stuff around in unencrypted cookies, but those GET
URLs go into all sorts of logs, which seems pretty creepy to me.
I'd be more comfortable with one-time-use tokens, which won't be of any
use to anyone once they've seen them. Resetting them on logout only
helps insofar as anyone actually logs out... I know I never do. :)
Compatibility:
Third-party cookies can be disabled by various browser options and
privacy proxies. The 1x1 invisible PNG may itself be blocked by privacy
or ad proxies. It may or may not be more compatible to use little
iframes or something.... or that might just suck. :)
Anyway, should be considered.
Logging out:
Currently, logout only clears your global session cookies; it doesn't
clear local session state. You log in once, but you may have to log out
many times.
Incomplete migrations:
I haven't thoroughly tested, but my impression is that the global
session state will only get set up properly if the remote wiki that
happens to get hit for that domain has the global account.
If there's a non-matching local account there, it looks like it won't
set the session for the whole domain.
- -- brion vibber (brion @
wikimedia.org)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org
iEYEARECAAYFAkf+p14ACgkQwRnhpk1wk46qPACg3M0+dGCDKA2lmKHxFZ7ukDQH
EKsAoKFS5PD/bA4w0XhqrGovh3pXSK2e
=I2q/
-----END PGP SIGNATURE-----