[pmwiki-devel] AuthUser farm security
Patrick R. Michaud
pmichaud at pobox.com
Mon Dec 18 11:47:21 CST 2006
On Mon, Dec 18, 2006 at 05:09:45PM -0000, marc wrote:
> Patrick R. Michaud said...
> > On Fri, Nov 24, 2006 at 03:13:39PM -0600, JB wrote:
> > > Just learned that when logged into one wiki using AuthUser, you
> > > have access to all Wiki's in that farm which also use AuthUser.
> >
> > This is true only when all of the wikis in the farm have
> > the same domain name.
> >
> > > This page has some information at the very bottom
> > > using php code session_name('XYZSESSID');
> > >
> > > http://www.pmwiki.org/wiki/PmWiki/Passwords
> > >
> > > This page has some information near the bottom with the
> > > heading "Ugh - Authentication Sessions and Farms". It suggests
> > > two ways, using a different user group for each farm or using
> > > php code $CookiePrefix = substr($tmp = md5(__FILE__), 0, 5).'_';
> > >
> > > http://www.pmwiki.org/wiki/Cookbook/AuthUser
> > >
> > > So of the three methods above, which is the best?
> >
> > Only the session name approach really separates things fully.
> > The user group approach isn't very clean, and somehow I don't think
> > the $CookiePrefix approach will work at all.
>
> I've just got round to testing the session name approach and failed to
> get it to work. The wiki has two fields. As the first line of each
> local/config.php I added unique session_name() calls. This resulted in
> the session cookies containing identical content, despite the different
> names.
Unfortunately, if one is loading authuser.php from farmconfig.php
(or doing anything else that invokes PHP sessions) then calling
session_name() from local/config.php occurs too late, because
the session_name has to be set prior to any sessions being opened.
> > Still, if we can come up with a good way for each wiki on
> > a server to receive a unique identifier that it can use for
> > the session cookie, that would probably resolve things for
> > most people.
>
> That would be great.
Any ideas? All of the ones I can come up with are pretty icky
and/or not very reliable.
Pm
More information about the pmwiki-devel
mailing list