2010/9/23 Neil Kandalgaonkar <ne...@wikimedia.org>: > I have been making the assumption that in MediaWiki, the $_SESSION is > hidden from the > user. While applications may use the session to obtain data that's later > shown to the user, > there should be no way for the user to obtain the entire $_SESSION > contents. > > So, for instance, I can hide a temporary secret there. > > Is that a good assumption? > As far as I know, yes. MediaWiki sets a session cookie with an ID that uniquely identifies the session. The session data itself is stored in some session storage (by default we let PHP handle it, on WMF we stick it in memcached, I believe). So unless there's some ridiculous vulnerability allowing people to obtain the value of arbitrary keys in $_SESSION, you should be fine AFAIK.
Roan Kattouw (Catrope) _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l