Re: [sfWiki-devel] user authentication, sessions, and editing

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

At 04:18 PM 2/21/2001 -0500, Todd L. Miller wrote:
>         Well, I found a little problem with authentication for
>editing.  Basically, the edit links are generated when the page is saved,
>which means they can't append the PHP session id, so I'd have to use
>cookies to allow people to edit w/o entering their password every new
>edit, or alter PrintWikiTopic to substitute the session id, if available,
>where it needed to go.  This method has the disadvantage of requiring a
>potentially expensive search & replace every time a logged-in user views a
>page.  Cookies have their obvious dis/advantages, but one advantage: I
>won't have to go through sfWiki and make sure every link in it or link
>that it produces has the session id hanging off of it.  Thoughts?

Use cookies.  Just one "per session cookie" that only holds a session 
id.  Anyone without cookies turned on can't edit.  It's a bit hardline but 
its the easiest to implement and support and is a common tactic now days 
(sourceforge itself requires cookies for this reason...).

URL rewriting is a pain in the tuckis and I'd only support that if i was 
doing a major commercial site where i couldn't afford to alienate 
anyone.  Anyone technical enough to know what cookies really are (or are 
willing to learn) knows that they aren't any more a security/privacy risk 
than url rewriting... and that is currently the jos members (i hope they're 
at least that technical). :)

-iain