Yuri Astrakhan wrote:
I would like some feedback on the issue of how to
allow API users to
prove who they are without using a cookie (some clients simply do not
support them), but instead pass all relevant information in the
URL/POST.
The login api module returns userID, userName, and userToken - all
necessary parts of a cookie. The client should be able to pass those
values in the URL, which should override the browser cookie (or lack
thereof), and instead resume the session specified.
The $_SESSION object gets initialized based on the cookie before the
php code starts. In order to resume the session, I could set
$_SESSION['wsUserID'], $_SESSION['wsUserName'],
$_SESSION['wsToken']
to the URL values, and set $wgUser = User::newFromSession() before any
other operations.
Does this introduce any security risks? Is there another way to solve this?
Thanks!
This makes sense to me. Passing the ?PHPSESSID= query string should be
a perfectly acceptable alternative to cookies; that's for what it was
made. As for Jonathan mentioned, though: You might want to include the
$_SERVER['REMOTE_ADDR'] in $_SESSION and then check it when
authenticating the user. Bots' IP addresses should not be changing in
the middle of a run, and it could prevent replay attacks like those he
describes.
-madman bum and angel