[Pmwiki-users] PmWiki password puzzles

Jonathan Scott Duff duff
Mon Aug 30 07:55:22 CDT 2004 

On Mon, Aug 30, 2004 at 06:57:39AM -0600, Patrick R. Michaud wrote:
> This message talks a bit more about PmWiki's passwording system, and
> has two questions ("Q1" and "Q2" below) on which I'm seeking input.
> For purposes of this message, I'm temporarily setting aside the issue
> of user-based authorization schemes, which I'm also working on.
> 
> PmWiki's authentication system has a couple of annoyances that 
> I'd like to address.  First, for historical reasons PmWiki's 
> default authentication mechanism has been to use HTTP based 
> authentication.  Unfortunately, this tends to work only in 
> environments where PHP has been built as an Apache module;
> i.e., it generally doesn't work if PHP is running as a CGI script or
> other environments where the HTTP authentication information is not
> available to PHP.  It also fails on systems where the PmWiki script
> is being otherwise protected by Apache (e.g., a .htaccess file).
> 
> The solution to this second problem has typically been to use session-based
> authentication, via the sessionauth.php script.  However, since
> session-based authentication works "everywhere", while HTTP Basic
> authentication works only on selected systems, I'm thinking I should
> just switch the distribution to use session-based authentication
> by default and provide HTTP Basic authentication as an option.  I think
> would eliminate a lot of frustration and mail from people who are 
> having trouble getting passwords to work on their systems.
> 
> *** Q1: Any one have comments in favor of or against switching to
> session-based authentication as the default?

Seems like a good optimization for the common case. 

>   1. Leave things as they are--someone wanting to avoid the
>      alternating edit+read password problem in pages would then set
>      the edit password in both the edit and read password fields.
>   2. Have the system assume that a person who knows the edit or
>      attribute password is automatically given read permission to a
>      page without having to explicitly enter or know the read
>      password.
>   3. Have the system cache all of the passwords that have been entered
>      during a browser session, and test each page request against the
>      set of passwords (so that a user would only have to enter each
>      unique password once per browsing session).
>
> *** Q2: But my question is, what should be PmWiki's "default" setup in
> the distributed version?

#2 and #3.

-Scott
-- 
Jonathan Scott Duff
duff at pobox.com

More information about the pmwiki-users mailing list