[wp-hackers] Rethinking check_admin_referer()
Sam Angove
sam at rephrase.net
Fri Apr 21 03:18:54 GMT 2006
On 4/21/06, John Joseph Bachir <jjb at ibiblio.org> wrote:
>
> Not to toot my own horn but... this problem is solved and implemented in
> Lyceum, using a security token for every administrative action, which
> results in an identical user experience to wordpress, and allows for
> usage of post or get requests as desired by the programmer. Is there
> anything about this solution that folks don't like?
We wouldn't have spent 100+ messages talking about it if we weren't
interested. Owen listed some reasons why Lyceum's specific method
("b-1") mightn't be desirable, e.g. that it requires server-side
storage. There's talk of making the system pluggable, so Lyceum's
method could be implemented in a plugin if the extra security is
required.
More information about the wp-hackers
mailing list