06 Jul 2008 09:41
TAGS: cookie files handling lighttpd session static user wikidot
Unfortunately, it seems that our last approach (described here) to finally get the uploaded files right was not exactly possible. As authorization in Wikidot is based on cookies and sessions, they will not pass through cross-domain solution.
Allowing to read session_id from cookie in user uploaded HTMLs in not a good idea because of possible session spoofing.
So we designed an authorization mechanism that allows owner of a particular session browsing files from a certain wiki.
When a request to restricted user uploaded file (on the *.wdupload.wikidotsyndication.com domain) is performed, we will check if the cookie is set, then if it points to a valid session and if the user bound to the session is granted a permission to view the file.
If the auth cookie is not set, we'll redirect the browser to the *.wikidot.com site (which can read the original session-cookies) that will generate a unique key and redirect back to the original domain appending the unique key to the GET request. The original domain will then set the cookie and the access will be granted (or not).