2010/9/23 Neil Kandalgaonkar <neilk(a)wikimedia.org>rg>:
I have been making the assumption that in MediaWiki,
the $_SESSION is
hidden from the
user. While applications may use the session to obtain data that's later
shown to the user,
there should be no way for the user to obtain the entire $_SESSION
contents.
So, for instance, I can hide a temporary secret there.
Is that a good assumption?
As far as I know, yes. MediaWiki sets a session cookie with an ID that
uniquely identifies the session. The session data itself is stored in
some session storage (by default we let PHP handle it, on WMF we stick
it in memcached, I believe). So unless there's some ridiculous
vulnerability allowing people to obtain the value of arbitrary keys in
$_SESSION, you should be fine AFAIK.
Roan Kattouw (Catrope)