Brion Vibber wrote:
Security:
The sessions are set on other domains by passing an internal token value
on a URL -- an unencrypted HTTP GET request. It's bad enough we're still
passing all kinds of stuff around in unencrypted cookies, but those GET
URLs go into all sorts of logs, which seems pretty creepy to me.
Agree. Time for secure logins ;)
The excuse was that you logged in to the same domain the cookie was set
to but now you lost that excuse.
Make the user login to
https://login.wikimedia.org/ so the user/pass is
not sent in open. When you authenticate, do:
*Login you into wikipedias... <img src="https://login.wikipedia.org" />
*Login you into wiktionaries... <img src="https://login.wiktionary.org"
/>
..and so on
If the image loads, place a nice Ok sign. Else the placeholder should
tell the user he isn't logged in on that site portion.
That image is more unlikely to be blocked (browsers could start
complaining that the secure site links to external domains, but there's
little to do there).
Resetting them on logout only
helps insofar as anyone actually logs out... I know I never do. :)
Neither do i. It's so handy being automatically logged for weeks...
Also, when is AutoAuthenticate called? I don't see it being clear on
hooks.txt nor the code (and it's late for starting following the calling
procedures).
Is it called on any page view or only when you're going to edit/login
page? I think the latter would be preferred for SUL. And auto-creation
could require a "Do you want to create your local account?" step if your
action is not explicit to enter.