feeds to all forum content (Page 2 of 3)

lol
The idea is fairly simple. Instead of having the code force guest permissions, it just uses the permissions of the logged in user. No security issues there, since the authentication is done via the same cookie that PunBB uses. Now, only RSS readers that are integrated into the browser would be able to take advantage of this.

yea as i thought so ... that will be good ...

Are you working on the basis of the feed only being available to the user when they are actually logged onto the forum, rather than extracting cookie info from the browser when the in-browser feed client updates the feed?

I think we may have crossed our wires then. If I understand correctly, your method would only allow access to those non-guest feeds when the user is actually logged in, regardless of whether it uses the cookie or not?

From what I understood of pedrotuga's initial post, however, (and I hope they will correct me if I'm wrong), is that it would use and extract info from the cookie to find the users g_id, if the user was not logged in, and decide on the feed contents accordingly.

Simple question then. If PunBB uses cookie authentication, why the need to log in?

My simple point is that if the cookie alone is not enough for general usage, why should it be an exception for an alternative connection method?

MattF, I think you are mixed up with the ways cookie work.
If you navigate from page to page on a website (a punbb forum for example) while being logged in, you have to have a cookie stored in your computer. That's how php sessions work. If you don't have cookies suport PHP will add a parameter to all the links in your website so the session id is passed via querystring.
In other words, punbb already uses cookies in it's authentication system. Each time you request a page and are loggind in, your browser will fetch some information on the cookie and send it allong with your http request so the server knows that it can trust the request source.

Try this experiment: deactivate your browser's cookies, login into punbb.org and notice the urls. They will have a long random alphanumeric string passed by querystring.

To be honest i never went and check how cookies reall work in detail. I take the chance to make a side general question:
How is cookie-stored information sent to the server?
thought the headers?

PunBB doesn't use sessions, does it?

Right. That's the part I'm referring to then. The login is literally used to check and update the cookie. The cookie is then the roving authorisation, so to speak. However, if the cookie was to be trusted as is and used at all times, what's the point of the login timeout and re-login mechanism? The cookie could easily be updated without it. So why, if that's the case, should the cookie be trusted/used as an auth mechanism, (when the user hasn't logged in for a period of time), to authenticate their entitlement and access to the feed categories/forums? Normally, if the user has timed out, they need to login again to update the cookie as required, and the details are again checked against the db? However, if it was used as the auth key against the feeds, one part of the system is being removed, i.e: the login process. By virtue, that also removes one layer of security.

Btw, this all does make perfect sense in my head, but I've a feeling it's different when it's posted. If I'm still confusing everyone now, I'll concede the point.

That's different then. I had thought you meant to just extract the information and use straight off. (I ought apologise for making that assumption. One should have known you, (the devs), would sure there were proper checks first). I'll go quietly into the corner now.

If they can access the restricted feeds, they can equally easy just open up the forums. I don't see your point.

I give up. You just don't want to understand.