[pmwiki-devel] Advice on coexisting with AuthUser?

Patrick R. Michaud pmichaud at pobox.com
Sat Aug 2 12:50:30 CDT 2008


On Sun, Jul 27, 2008 at 11:11:14AM +1200, john.rankin at affinity.co.nz wrote:
> > The most robust solution would be for the PDF server to
> > ask the user for username and password and then pass those
> > along in its http request to the wiki.  It could do this at
> > the outset, or only when a request results in an authentication
> > request from the wiki.
> 
> I had hoped to avoid this, if possible:
> - the user will think "but I already signed in"
> - we'd have to prompt for a name and password on each and
>    every PDF request

The PDF server could use a session to keep track of name and
session as well -- then the user will be prompted only for
the first PDF request.

> > Another slightly trickier solution would be for the wiki
> > to generate links and/or forms that are submitted to the
> > PDF server that contain the needed session token information.
> 
> Well. PDF requests are always initiated from a special form.
> Donald Gordon did something clever with cookies to make
> password protected pages work. He passed this to the
> PDF server:
> 
> # pass authentication to wikipublisher
>   if (isset($_COOKIE['PHPSESSID']))
>       $out[] =  '<input type="hidden" name="PHPSESSID" '.
>       'value="'.htmlspecialchars($_COOKIE['PHPSESSID'],ENT_QUOTES) . '" />';
> 
> Then the PDF server Perl script does this:
> 
>     my $req = HTTP::Request->new(GET => $url);
>     $req->header('User-Agent' => 'Wikibook');
>     foreach my $key (keys %{$opts->{cookies}}) {
> 	$req->header("Cookie" => $key."=".$opts->{cookies}->{$key});
>     }
> 
> I don't understand this, but the PDF server can generate a
> PDF from a password-protected page. 

Ah!  The first part embeds the session cookie (PHPSESSID) into
the form, and then the PDF server passes that cookie in its request
for the wiki page.  Since PHP doesn't check the source IP of the
cookie, it sees the PDF server's session as being the same as the
user's session.  AuthUser should work fine for this approach also.

I'd suggest trying that.  I can help with code and the like,
although what Donald has in place seems quite workable for AuthUser
already.  (I also may be a bit slow to respond, as I'm in Hawai'i
this week and in Denmark next week.  :-)

Aloha,

Pm



More information about the pmwiki-devel mailing list