[pmwiki-users] PmWiki session variables

Alexander Dietrich alexander at dietrich.cx
Mon Jun 23 07:03:23 CDT 2008


Hi,

I asked a question about this about two weeks ago, so I think it's ok to repost:

-----
I recently turned my PmWiki installation into a farm, and came across the comment
dealing with PHP session cookie names for preventing accidental privilege elevation.
This got me thinking: if the only thing right now stopping a user from getting
incorrect privileges on another field, couldn't a malicious user still exploit this
by simply copying the session cookie value?
-----

Best,
Alexander
-- 
Alexander Dietrich <alexander at dietrich.cx>



More information about the pmwiki-users mailing list