On Fri, Apr 11, 2008 at 9:48 AM, Brion Vibber <brion(a)wikimedia.org> wrote:
Security:
The sessions are set on other domains by passing an internal token value
on a URL -- an unencrypted HTTP GET request. It's bad enough we're still
passing all kinds of stuff around in unencrypted cookies, but those GET
URLs go into all sorts of logs, which seems pretty creepy to me.
I'd be more comfortable with one-time-use tokens, which won't be of any
use to anyone once they've seen them. Resetting them on logout only
helps insofar as anyone actually logs out... I know I never do. :)
Brion already knows this, but for completeness, I addressed this a few days ago.
Incomplete migrations:
I haven't thoroughly tested, but my impression is that the global
session state will only get set up properly if the remote wiki that
happens to get hit for that domain has the global account.
If there's a non-matching local account there, it looks like it won't
set the session for the whole domain.
This is inaccurate. Authentication of the token stored in memcached
and addressed
by a one-time token given in the GET parameters is done against the central DB.
There was a silly and probably broken line in AutoLogin which loaded a
corresponding
local account for the sake of storing the 'rememberpassword' option,
but I refactored
that out in r33176.
On Sat, Apr 12, 2008 at 4:36 AM, Brion Vibber <brion(a)wikimedia.org> wrote:
This was
previously done by NOT setting local cookies on every single wiki
that you're automatically authenticated on.
Which means it doesn't set up a local session or update your cache
timestamp, which means you see various uncached settings and your first
edit fails. :)
These are bad, hence my fix.
I asked Tim, and he told me there wasn't any reason to be setting local cookies
in doing this, so I removed that line from wfCentralAuthSessionInit.
Note that, in order to address issues of caching after you've logged
out, I've added
a LoggedOut cookie, and added this to the list of vary-options
cookies.I'm not sure
if I'm supposed to be setting User::mTouched if that cookie's present
as well, and,
if so, I'm happy to do that.
Plus you still had local cookies whereever you
explicitly logged in.
I'm getting there.
I hope I've gotten a little bit closer to addressing all your concerns
:-). For full
details of today's work, see this commit message:
http://svn.wikimedia.org/viewvc/mediawiki?view=rev&revision=33176
Thanks for having a close look at this.
--
Andrew Garrett