[Pmwiki-users] PmWiki password puzzles

John Rankin john.rankin
Mon Aug 30 18:58:48 CDT 2004


I like #2 because it is easy to explain to users and they don't have
to remember anything special.

I think #2 is slightly friendlier than #3; consider the following:
- a page has different read and edit passwords
- in #3, I have to enter both passwords if I want to read and edit
- in #2, I can enter just the edit password and I will also be able
  to read

JR

On Tuesday, 31 August 2004 4:15 AM, Ciaran <ciaranj at gmail.com> wrote:
>I like #2 and #3, although Alex' point is very well made, but that
>could happen by co-incidence anyway ?  Its not really more likely to
>occur just because the browser's caching the password, the user would
>instinctivly try their password anyway...
>
>As to keeping track of whether a page is password protected, perhaps
>we could have a variable to use in the template that tells us whether
>they're in password-edit mode or password-read mode etc ?
>- Ciaran
>
>
>On Mon, 30 Aug 2004 16:22:14 +0200, Alexandre Courbot
><alexandre.courbot at lifl.fr> wrote:
>> 
>> >>*** Q1: Any one have comments in favor of or against switching to
>> >>session-based authentication as the default?
>> >
>> >
>> > Seems like a good optimization for the common case.
>> 
>> I think too. I've just set up the devel version of PmWiki to start a new
>> site, and unfortunately I'm in the case where I can't use HTTP-based
>> authentication. And I don't have a sessionauth script with this version.
>> 
>> Anyway, using session-based authentication by default is not really
>> likely to bother people (and if it does, they should be able to include
>> an httpauth script).
>> 
>> >>  1. Leave things as they are--someone wanting to avoid the
>> >>     alternating edit+read password problem in pages would then set
>> >>     the edit password in both the edit and read password fields.
>> >>  2. Have the system assume that a person who knows the edit or
>> >>     attribute password is automatically given read permission to a
>> >>     page without having to explicitly enter or know the read
>> >>     password.
>> >>  3. Have the system cache all of the passwords that have been entered
>> >>     during a browser session, and test each page request against the
>> >>     set of passwords (so that a user would only have to enter each
>> >>     unique password once per browsing session).
>> >>
>> >>*** Q2: But my question is, what should be PmWiki's "default" setup in
>> >>the distributed version?
>> >
>> >
>> > #2 and #3.
>> 
>> #2 is good IMO, since the levels are inclusive. #3 might allow a user to
>> have access to a page he shouldn't, if by chance they have the same
>> password (even though the user doesn't know it).
>> 
>> Alex.
>> --
>> Alexandre Courbot
>> PhD Student - LIFL/RD2P
>> http://www.lifl.fr/~courbot/
>> 


-- 
JR
--
John Rankin





More information about the pmwiki-users mailing list