From: Damian P. <da...@da...> - 2005-07-27 18:41:57
|
On Tue, Jul 26, 2005 at 05:06:57PM +0100, Michael Davey wrote: > Sylvie Greverend wrote: > >Each time I have a session ending while I am editing, I have the response > >- use remember me (but I don't like cookies) > >- change your tiki session lifetime to a highter time.. ok > >- use another authentication method .... not always possible > >I am never completly satisfied with that - and you? > > > >What about having a hidden field with the user hash in the form of the > >save/preview buttom? > >Will it be a security issue? > > What about showing the login screen rather than an error message when > the session has ended, and making the login code 'remember' the > path_info, url and other important $_REQUEST information, so that after > one has logged in, the login screen can cause the appropriate > information to be reposted. > > This is what SourceForge does, and it seems to work well. > Sounds good providing that $_REQUEST info cant be modified on a spoofed page and basically let you do whatever you want. XSS etc. -- Damian Parker Damosoft - TikiWiki Support, Development and Training http://www.damosoft.co.uk / http://tikihost.net / http://tikiwiki.info Telephone - 0845 004 3923 IAXtel - 700-168-0333 FWD - 72453 Full Online Support Tracking at - http://support.damosoft.net *** http://free.tikihost.net - FREE TikiWiki hosting options!! *** |