Yuri Astrakhan wrote:
I would like some feedback on the issue of how to allow API users to prove who they are without using a cookie (some clients simply do not support them), but instead pass all relevant information in the URL/POST.
The login api module returns userID, userName, and userToken - all necessary parts of a cookie. The client should be able to pass those values in the URL, which should override the browser cookie (or lack thereof), and instead resume the session specified.
The $_SESSION object gets initialized based on the cookie before the php code starts. In order to resume the session, I could set $_SESSION['wsUserID'], $_SESSION['wsUserName'], $_SESSION['wsToken'] to the URL values, and set $wgUser = User::newFromSession() before any other operations.
Does this introduce any security risks? Is there another way to solve this?
Thanks!
Passing them as GET is always dangerous (having wsToken you can log in without the password).
I don't see how would that help cookie-less clients, which anyway would be rare (some example of them?) as you still need the session cookie (at least for editing). I had to add a dummy edit-request to my code to get it. I'm not so sure that you can _resume_ sessions without the session-id. Maybe add a login action wich outputs the session instead? (and add a parameter to treat as a cookie).