I was looking through changes to the apiedit branch and saw a revert to disable login tokens. I read the note in SVN as to why, but I don't understand the benefit of just using cookies versus using tokens, especially for robots. I'm not questioning Brion's decision, just wondering if there was explanation. Also, I don't understand how to implement his suggestion - is that just with cookies now? Thanks.
Eddie
Eddie Roger schreef:
but I don't understand the benefit of just using cookies versus using tokens, especially for robots. I'm not questioning Brion's decision, just wondering if there was explanation.
The login token thing was insecure, because someone could sneak in a URL like: api.php?action=something&...&lgtoken=123ABC With lgtoken being a valid login token, assigned to the attacker's session. That would force the victim to take over the attacker's session, and possibly get his IP autoblocked.
Also, I don't understand how to implement his suggestion - is that just with cookies now?
Yep, just cookies. See here [1] for an example of how to login using PHP and Snoopy.
Roan Kattouw (Catrope)
[1] http://lists.wikimedia.org/pipermail/mediawiki-api/2007-October/000117.html
Dang. Oh well. I'm attempting this through Ruby methods, so I'll have to get out some old cookie handling code to deal. Thanks for the answer.
On Dec 4, 2007 9:29 AM, Roan Kattouw roan.kattouw@home.nl wrote:
Eddie Roger schreef:
but I don't understand the benefit of just using cookies versus using tokens, especially for robots. I'm not questioning Brion's decision, just wondering if there was explanation.
The login token thing was insecure, because someone could sneak in a URL like: api.php?action=something&...&lgtoken=123ABC With lgtoken being a valid login token, assigned to the attacker's session. That would force the victim to take over the attacker's session, and possibly get his IP autoblocked.
Also, I don't understand how to implement his suggestion - is that just with cookies now?
Yep, just cookies. See here [1] for an example of how to login using PHP and Snoopy.
Roan Kattouw (Catrope)
[1]
http://lists.wikimedia.org/pipermail/mediawiki-api/2007-October/000117.html
Mediawiki-api mailing list Mediawiki-api@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-api
Eddie Roger wrote:
I was looking through changes to the apiedit branch and saw a revert to disable login tokens. I read the note in SVN as to why, but I don't understand the benefit of just using cookies versus using tokens, especially for robots. I'm not questioning Brion's decision, just wondering if there was explanation.
The reason and vulnerability (which Roan already told you) was discussed on wikitech at the time.
mediawiki-api@lists.wikimedia.org