[pmwiki-users] PmWiki session variables

Alexander Dietrich alexander at dietrich.cx
Mon Jun 23 07:03:23 CDT 2008


I asked a question about this about two weeks ago, so I think it's ok to repost:

I recently turned my PmWiki installation into a farm, and came across the comment
dealing with PHP session cookie names for preventing accidental privilege elevation.
This got me thinking: if the only thing right now stopping a user from getting
incorrect privileges on another field, couldn't a malicious user still exploit this
by simply copying the session cookie value?

Alexander Dietrich <alexander at dietrich.cx>

More information about the pmwiki-users mailing list