FS#28 - Persistant session for RSS
Opened by Strict Standards: array_map() expects parameter 1 to be a valid callback, non-static method Filters::noXSS() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.tpl.php on line 281 anw (anw) - Strict Standards: Non-static method Filters::noXSS() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.tpl.php on line 613 Saturday, 04 April 2009, 16:58 GMT
|
DetailsRSS are currently based on users session. When session expires, RSS feeds are lost.
RSS feeds are related to users session because they are based on user's permissions. We could maybe create a "degraded session key" only used for limited read-only access such as RSS. This key would be given in RSS feed URL, so that RSS feed would still be valid even when user's session expires. |
Note that this doesn't really require new sessions in the database. There is no reason why this "session key" should ever expire or be invalidated. So it could be a combination of the user's account ID and a checksum. The checksum would be built from a server-specific auto-generated secret key (stored in _override/global/global/global.cfg.php) and the account ID, e.g. md5(secret . '|' . userID). Including action name is also possible - then the key would grant access only to a specific RSS feed, not all of them. An attacker won't be able to generate the checksum because he doesn't know the secret key. The server will however be able to verify the checksum simply by re-calculating it - if the two checksums match the session key is valid, no database accesses necessary.