[pmwiki-devel] AuthUser farm security
marc
gmane at auxbuss.com
Mon Dec 18 11:09:45 CST 2006
Patrick R. Michaud said...
> On Fri, Nov 24, 2006 at 03:13:39PM -0600, JB wrote:
> > Just learned that when logged into one wiki using AuthUser, you
> > have access to all Wiki's in that farm which also use AuthUser.
>
> This is true only when all of the wikis in the farm have
> the same domain name.
>
> > This page has some information at the very bottom
> > using php code session_name('XYZSESSID');
> >
> > http://www.pmwiki.org/wiki/PmWiki/Passwords
> >
> > This page has some information near the bottom with the
> > heading "Ugh - Authentication Sessions and Farms". It suggests
> > two ways, using a different user group for each farm or using
> > php code $CookiePrefix = substr($tmp = md5(__FILE__), 0, 5).'_';
> >
> > http://www.pmwiki.org/wiki/Cookbook/AuthUser
> >
> > So of the three methods above, which is the best?
>
> Only the session name approach really separates things fully.
> The user group approach isn't very clean, and somehow I don't think
> the $CookiePrefix approach will work at all.
I've just got round to testing the session name approach and failed to
get it to work. The wiki has two fields. As the first line of each
local/config.php I added unique session_name() calls. This resulted in
the session cookies containing identical content, despite the different
names.
> Still, if we can come up with a good way for each wiki on
> a server to receive a unique identifier that it can use for
> the session cookie, that would probably resolve things for
> most people.
That would be great.
--
Best,
Marc
More information about the pmwiki-devel
mailing list