Dang. Oh well. I'm attempting this through Ruby methods, so I'll have to get out some old cookie handling code to deal. Thanks for the answer.


On Dec 4, 2007 9:29 AM, Roan Kattouw < roan.kattouw@home.nl> wrote:
Eddie Roger schreef:
> but I don't understand the benefit of just using cookies versus using
> tokens, especially for robots. I'm not questioning Brion's decision,
> just wondering if there was explanation.
The login token thing was insecure, because someone could sneak in a URL
like:
api.php?action=something&...&lgtoken=123ABC
With lgtoken being a valid login token, assigned to the attacker's
session. That would force the victim to take over the attacker's
session, and possibly get his IP autoblocked.
> Also, I don't understand how to implement his suggestion - is that
> just with cookies now?
Yep, just cookies. See here [1] for an example of how to login using PHP
and Snoopy.

Roan Kattouw (Catrope)

[1]
http://lists.wikimedia.org/pipermail/mediawiki-api/2007-October/000117.html

_______________________________________________
Mediawiki-api mailing list
Mediawiki-api@lists.wikimedia.org
http://lists.wikimedia.org/mailman/listinfo/mediawiki-api