[MediaWiki-l] Embedded login and account creation

Ad Strack van Schijndel ad.strackvanschijndel at gmail.com
Thu Oct 1 09:12:07 UTC 2015


Hi Chris,

Thanks for your answer! One thing I don't understand is about the XFO headers. 
Do we have to add them or is it a condition that we don't have them.

Ad


Op 30 sep. 2015, om 17:48 heeft Chris Steipp <csteipp at wikimedia.org> het volgende geschreven:

Hi Ad,

There are some security considerations if you're going to do that:

* We disable site and user .js on Special:UserLogin, so a malicious admin
can't add password sniffing javascript to the login page
* We disable framing the page to prevent various redressing attacks
* If your site is mixed http/https, there is special handling on that page
to ensure the user enters/submits their password over https.
* If you're using CentralAuth or another SSO system, then we check if
you're logged in on Special:UserLogin, to work around some browser cookie
policies.

So it's *usually* not a good idea to create your own login widget. But if
you're running your site entirely under https, have a limited number of
admins, add XFO headers on all pages, and don't use any SSO system, then go
for it!



On Tuesday, September 29, 2015, Ad Strack van Schijndel <
ad.strackvanschijndel at gmail.com> wrote:

> Hi,
> 
> Is there a way to embed the login and/or the account creation on normal
> pages?
> 
> I would like to have the possibility to login in a sidebar as long as the
> user is anonymous. So that there are no extra clicks to login.
> 
> I'm sure if there isn't, there is a very good reason for that and I would
> like to understand that reason.
> 
> Ad
> _______________________________________________
> MediaWiki-l mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
> 
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l




More information about the MediaWiki-l mailing list