[rt-users] Secure RSS Feeds?

Thomas Sibley trs at bestpractical.com
Wed Jan 19 10:04:03 EST 2011


On 18 Jan 2011 19:29, Lee Hughes wrote:
> I'm testing the RSS feeds feature in RT and noticed that I can update
> the feed results in my RSS reader without logging into RT. I'm guessing
> this is related to the "NoAuth" that is embedded in the feed location
> URL. Is there a way to secure all RT RSS feeds so that the user is
> prompted for their credentials the first time they update the feed
> during a browser/reader session?

Feeds are secured by a secret auth token in the URL.  They are
authenticated for each user, and this way your feed reader doesn't need
to handle authentication (which it can't possibly do in every case for
every app).  As such, feed URLs should be regarded as private.

If a user believes their feed URLs compromised, they can reset their
authentication token at the bottom of /User/Prefs.html.

Thomas



More information about the rt-users mailing list