[Licom-l] Description of SPI voting process
Tim Starling
tstarling at wikimedia.org
Tue Apr 14 12:48:38 UTC 2009
Erik Moeller wrote:
> It might also be helpful to add something about how the session
> transfer works, and what information is being sent to SPI.
>
>
Wikimedia sends the following information about voters to SPI:
* User name
* Blocked status
* Edit count
* Group membership
* Language preference
Of these, only the language preference is private data. Wikimedia also
sends an authentication token which is specific to SecurePoll and is not
useful for any other purpose. Forensic information such as IP address is
gathered by the SPI server directly from the user.
Technically, session transfer works as follows:
* Wikimedia gives the user a secret token
* The user sends the token to SPI by clicking the jump button
* SPI sends the token back to Wikimedia, to auth-api.php via HTTPS, for
verification
* Wikimedia verifies the token and provides user data
* SPI checks the voter qualifications using this information, creates a
voter ID, and sets a local session cookie.
-- Tim Starling
More information about the Licom-l
mailing list