Conversation:
Notices
-
@verius "but maybe there's a less stressful way for the server."
Almost makes it sound like we were proposing a new API for some sort of reason ;)
-
@verius More seriously, that's the one *reliable* way to prove that the user is authenticated and its THAT user whom is logged in.
-
@lambadalambda @verius That'll work at the time you're sending credentials. It won't work later. But it may be okay for what Verius is doing.
-
@verius Specifically, just so you know, the problem there is that the user login information isn't persisted at all for security reasons, so it has no real way to know the credentials are valid unless you're already logged in, or you're logging in _at that time_. It's probably still a good idea to prevent shifting-style attacks to make sure it's the user they say th…
-
@verius The problem with situations where you're already logged in that the session handling in postActiv right now is really shit and drops sessions randomly. and you can actually end up in situations where you're still logged in, but it doesn't recognize the session so it will return a client error 404 (which is an incorrect error code in this instance, but I'm not the one that wrote that code...)
-
@verius Haha, yeah that works.
-
@verius yeaaaaaaaaaaah
And it should
It doesnt though
-
@verius Well it's easy enough to fix that error code to be a 401 at least. I'll do that next I'm at my computer properly.
-
@verius Yeah. Well, I won't want to forget it so I'll grab that one ASAP.
maiyannah
All Hacker Poesy content and data are available under the