Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Pages: 1
Re: tuk_if_logged_in
This sets the login cookie for the domain rather than only the textpattern folder. Then it is possible for the plugin to check if the user viewing the site is logged in.
That’s a bad idea, because it raises the stakes should a XSS-hole ever arise.
The better way to implement such a plugin would be to use the admin-side hooks to set a second cookie for the whole domain for every user that logs in, which is derived in a one-way fashion (salted hash) from the user-specific login-nonces. Should that cookie be stolen, it does not have any effect on the administration backend.
Offline
Pages: 1