Re: [Semanticscuttle-devel] Functionality: Private RSS, rsscount, rss and page fixes
Brought to you by:
cweiske
Menu
▾
▴
Re: [Semanticscuttle-devel] Functionality: Private RSS, rsscount, rss and page fixes
|
From: <ss...@fn...> - 2010-01-19 10:11:14
|
As suggested, I'm taking a discussion to the mailing list :> > What I did not implement and will not implement: > - private rss feeds by appending an extra parameter. Private rss feeds > itself: yes, but not that parameter. > Reason for this is, that by using http basic auth with > http://user:pass@host/..., we have something that's well-known and working. > Downside is that it can be sniffed when used over an insecure network > connection. > As is now, I agree that both cookiehash and http auth for private rss feeds are insecure. The reasoning behind allowing access to private feeds via some sort of hash in the query parameter is compatibility with various aggregators. Delicious does the same thing, however I don't believe that it's hash is in any way related to the username or password. Ideally both the hash and the cookie hashes would be randomly generated and stored, however that would require a bit of editing to the core auth system (adding a session table and a cleanup function). This may be a viable temporary measure: md5sum the cookie hash (which is an md5sum of user+pass). This hash would -only- grant access to one's private feed and not one's entire account - unless there's something broken with md5sum(md5sum(data)). > > "The links displayed in bookmark listings no longer prepend url_redir " > - I did not see that change in your patch. You can already disable that in > the configuration options globally. Enabling it only for RSS feeds is not a > sensible option in my eyes. > Actually what I did was edit bookmarks.php to not -display- url_redir. (a href=URL_REDIR+URL)URL(/a) as opposed to (a href=URL_REDIR+URL)URL_REDIR+URL(/a) |
