"BV" == Brion Vibber brion@pobox.com writes:
BV> Problems found that still need to be fixed:
BV> * Cookie check in Special:Userlogin fails if that's the very BV> first page the visitor came to in the session (possible fix: BV> do a single redirect if the cookie isn't found; on the second BV> try if there's still no cookie we complain)
Do you mean if the user comes straight in to the login form, and submits the login form? That seems to be working. What _won't_ work is bookmarking something like:
wiki.phtml?title=Special:Userlogin&wpName=UserName&wpPassword=password&action=submit
...and loading that without going to any other pages first. It will tell you that you have cookies disabled when in fact you may not.
Is that _really_ something we have to support? Logging in without the login form? It seems like a bit of a pathological case. In fact, I believe that fixing bug 842921 (forms accept GET parameters) would prevent that URL from working anyways.
One other possible scenario is that there's a form on another Web site (outside the cookie domain) that has a login form that submits to a MediaWiki site. Again, I wonder if this is worth development effort.
If it really is worth writing code for, maybe the best way to do this is to check the referrer and bounce them back to the login form if the referrer is empty or isn't on the same site.
~ESP