[pmwiki-devel] AuthUser farm security
gmane at auxbuss.com
Tue Dec 19 05:15:39 CST 2006
Patrick R. Michaud said...
> On Mon, Dec 18, 2006 at 05:09:45PM -0000, marc wrote:
> > Patrick R. Michaud said...
> > > On Fri, Nov 24, 2006 at 03:13:39PM -0600, JB wrote:
> > >
> > > > This page has some information at the very bottom
> > > > using php code session_name('XYZSESSID');
> > > >
> > > > http://www.pmwiki.org/wiki/PmWiki/Passwords
> > > >
> > > > So of the three methods above, which is the best?
> > >
> > > Only the session name approach really separates things fully.
> > > The user group approach isn't very clean, and somehow I don't think
> > > the $CookiePrefix approach will work at all.
> > I've just got round to testing the session name approach and failed to
> > get it to work. The wiki has two fields. As the first line of each
> > local/config.php I added unique session_name() calls. This resulted in
> > the session cookies containing identical content, despite the different
> > names.
> Unfortunately, if one is loading authuser.php from farmconfig.php
> (or doing anything else that invokes PHP sessions) then calling
> session_name() from local/config.php occurs too late, because
> the session_name has to be set prior to any sessions being opened.
Sorry, I obviously had my brain switched off when reading the
instructions and not only missed the authuser.php restriction <slap>,
but should have twigged in any case.
> > > Still, if we can come up with a good way for each wiki on
> > > a server to receive a unique identifier that it can use for
> > > the session cookie, that would probably resolve things for
> > > most people.
> > That would be great.
> Any ideas? All of the ones I can come up with are pretty icky
> and/or not very reliable.
I saw your follow-up in pmwiki.user and look forward to reading
suggestions there. Your proposal certainly works for me.
More information about the pmwiki-devel