[Mediawiki-l] Using Ajax for single single sign on. How bad of an idea is this?

Adam Meyer meyer7 at mindspring.com
Sun May 1 00:59:26 UTC 2011


Im really not one for reasonable solutions if it means inconvenience to the user.

Im looking for ways to integrate single sign on for phpBB and mediawiki.

I have only found one solution, but im wondering how bad of an idea this is.

When a user goes to to mediawiki it does an AJAX call to a phpbb file and checks if the user is logged in or not. If they are, mediawiki would then force a login for that user. If not, it would force a logout.

I know that the AJAX response can be faked pretty easily by setting a stop point in fire bug or console, and changing the return value. So this would easily allow a user to change who they are logged in as.

But what if I included a salted hash and checked the values against that? I think it would only be as strong as the algorithm.


I just can not keep requiring the 2 sign on thing - It is so confusing on my site.


-Adam


More information about the MediaWiki-l mailing list