Brion Vibber wrote:
Security:
The sessions are set on other domains by passing an internal token value on a URL -- an unencrypted HTTP GET request. It's bad enough we're still passing all kinds of stuff around in unencrypted cookies, but those GET URLs go into all sorts of logs, which seems pretty creepy to me.
Agree. Time for secure logins ;) The excuse was that you logged in to the same domain the cookie was set to but now you lost that excuse. Make the user login to https://login.wikimedia.org/ so the user/pass is not sent in open. When you authenticate, do: *Login you into wikipedias... <img src="https://login.wikipedia.org" /> *Login you into wiktionaries... <img src="https://login.wiktionary.org" /> ..and so on
If the image loads, place a nice Ok sign. Else the placeholder should tell the user he isn't logged in on that site portion. That image is more unlikely to be blocked (browsers could start complaining that the secure site links to external domains, but there's little to do there).
Resetting them on logout only helps insofar as anyone actually logs out... I know I never do. :)
Neither do i. It's so handy being automatically logged for weeks...
Also, when is AutoAuthenticate called? I don't see it being clear on hooks.txt nor the code (and it's late for starting following the calling procedures). Is it called on any page view or only when you're going to edit/login page? I think the latter would be preferred for SUL. And auto-creation could require a "Do you want to create your local account?" step if your action is not explicit to enter.