Yuri Astrakhan schreef:
Is setting session variables directly with the values
provided by a
client is safe? Shouldn't there be some check first? Just a thought,
need to double check.
User::newFromSession() should take care of that. I've tested the patch,
gotten it to work and committed it [1]. In the same commit, I also
removed ApiLogin's sessionID return value, as it didn't really work and
was redundant anyway.
Roan Kattouw
[1]
http://svn.wikimedia.org/viewvc/mediawiki?view=rev&revision=27151