[pmwiki-devel] AuthUser farm security

JB jbit at bitlink.com
Fri Nov 24 15:13:39 CST 2006


Just learned that when logged into one wiki using AuthUser, you
have access to all Wiki's in that farm which also use AuthUser.

Did some looking and it appears there are several solutions but
the documentation is sparse and scattered.  I feel that someone
using a farm might not catch on to this and could leave their
farm wikis vulnerable (like I did).


These two pages seem to have similar information in them,
but I feel they should be combined into one page.

   http://www.pmwiki.org/wiki/PmWiki/AuthUser
   http://www.pmwiki.org/wiki/Cookbook/AuthUser

This page has no information about issue.

   http://www.pmwiki.org/wiki/Cookbook/FarmSecurity

This page has some information at the very bottom
using php code    session_name('XYZSESSID');

   http://www.pmwiki.org/wiki/PmWiki/Passwords

This page has some information near the bottom with the
heading "Ugh - Authentication Sessions and Farms".  It suggests
two ways, using a different user group for each farm or using
php code    $CookiePrefix = substr($tmp = md5(__FILE__), 0, 5).'_';

   http://www.pmwiki.org/wiki/Cookbook/AuthUser

So of the three methods above, which is the best?

Is there a way to make this more automatic? In the setup
documentation can we change it so that by default Authuser
will automatically have someone set this up to be secured
and they would have to customize it to make it open?





More information about the pmwiki-devel mailing list