[pmwiki-devel] AuthUser farm security

[marc]

Patrick R. Michaud said...
> On Mon, Dec 18, 2006 at 05:09:45PM -0000, marc wrote:
> > Patrick R. Michaud said...
> > > On Fri, Nov 24, 2006 at 03:13:39PM -0600, JB wrote:
> > >
> > > > This page has some information at the very bottom
> > > > using php code    session_name('XYZSESSID');
> > > > 
> > > >    http://www.pmwiki.org/wiki/PmWiki/Passwords
> > > > 
> > > > So of the three methods above, which is the best?
> > > 
> > > Only the session name approach really separates things fully.
> > > The user group approach isn't very clean, and somehow I don't think
> > > the $CookiePrefix approach will work at all.  
> > 
> > I've just got round to testing the session name approach and failed to 
> > get it to work. The wiki has two fields. As the first line of each 
> > local/config.php I added unique session_name() calls. This resulted in 
> > the session cookies containing identical content, despite the different 
> > names.
> 
> Unfortunately, if one is loading authuser.php from farmconfig.php
> (or doing anything else that invokes PHP sessions) then calling
> session_name() from local/config.php occurs too late, because
> the session_name has to be set prior to any sessions being opened.

Sorry, I obviously had my brain switched off when reading the 
instructions and not only missed the authuser.php restriction <slap>, 
but should have twigged in any case.
 
> > > Still, if we can come up with a good way for each wiki on
> > > a server to receive a unique identifier that it can use for
> > > the session cookie, that would probably resolve things for
> > > most people.
> > 
> > That would be great.
> 
> Any ideas?  All of the ones I can come up with are pretty icky
> and/or not very reliable.

I saw your follow-up in pmwiki.user and look forward to reading 
suggestions there. Your proposal certainly works for me.

-- 
Best,
Marc