Dang. Oh well. I&#39;m attempting this through Ruby methods, so I&#39;ll have to get out some old cookie handling code to deal. Thanks for the answer. <br><br><br><div class="gmail_quote">On Dec 4, 2007 9:29 AM, Roan Kattouw &lt;
<a href="mailto:roan.kattouw@home.nl">roan.kattouw@home.nl</a>&gt; wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Eddie Roger schreef:
<br><div class="Ih2E3d">&gt; but I don&#39;t understand the benefit of just using cookies versus using<br>&gt; tokens, especially for robots. I&#39;m not questioning Brion&#39;s decision,<br>&gt; just wondering if there was explanation.
<br></div>The login token thing was insecure, because someone could sneak in a URL<br>like:<br>api.php?action=something&amp;...&amp;lgtoken=123ABC<br>With lgtoken being a valid login token, assigned to the attacker&#39;s<br>
session. That would force the victim to take over the attacker&#39;s<br>session, and possibly get his IP autoblocked.<br><div class="Ih2E3d">&gt; Also, I don&#39;t understand how to implement his suggestion - is that<br>&gt; just with cookies now?
<br></div>Yep, just cookies. See here [1] for an example of how to login using PHP<br>and Snoopy.<br><br>Roan Kattouw (Catrope)<br><br>[1]<br><a href="http://lists.wikimedia.org/pipermail/mediawiki-api/2007-October/000117.html" target="_blank">
http://lists.wikimedia.org/pipermail/mediawiki-api/2007-October/000117.html</a><br><br>_______________________________________________<br>Mediawiki-api mailing list<br><a href="mailto:Mediawiki-api@lists.wikimedia.org">Mediawiki-api@lists.wikimedia.org
</a><br><a href="http://lists.wikimedia.org/mailman/listinfo/mediawiki-api" target="_blank">http://lists.wikimedia.org/mailman/listinfo/mediawiki-api</a><br></blockquote></div><br>