[pmwiki-users] How to restrict auth to secure connections

Daniel Rubin Daniel.Frederik.Rubin at scai.fraunhofer.de
Thu Aug 17 06:58:49 CDT 2006


Michael Brenner wrote:
> Hello Daniel,
> NOT A SOLUTION, just to think about, this code rewrites urls to https(always). 
> Maybe you put this into a special condition like "if (authform requested)..."
> 
> config.php
> ...
> $ScriptUrl = 'https://'.$_SERVER['HTTP_HOST'].$_SERVER['SCRIPT_NAME'];
> $PubDirUrl = preg_replace('#/[^/]*$#','/pub',$ScriptUrl,1);
> ...
> $UploadDir = preg_replace('#/[^/]*$#','/uploads',
> $_SERVER['SCRIPT_FILENAME'],1); //???
> $UploadUrlFmt = preg_replace('#/[^/]*$#','/uploads',$ScriptUrl,1);;
> ...
> 
> keep in mind of sideeffects!
> found this on internetsearch, you may try to ask me questions about this but 
> don't expect to much.
> 
> hope this help - mik
Hi Mik,

thank you for sharing your thoughts.

What I like about your suggestion is the idea to make sure that auth 
data only gets *send* over an encrypted channel.  This is essentially 
what I was aiming at.
However, in addition to that, I'd like to force the users not to 
transmit their credentials insecurely.  I want the wiki to just not 
accept login data that doesn't come over an encrypted channel or from 
the local network.  Just too make sure noone tries to work around the 
login form.  (No idea why someone should want this, but I like clear and 
stable solutions.)

Alright, thanks once more!  Have fun,

----Daniel



> Am Donnerstag, 17. August 2006 10:27 schrieb Daniel Rubin:
> 
>>Greetings, everyone.
>>
>>I'd like to restrict authentication to my wiki such that
>>   * login is only permitted from connections via https or from
>>     the local network
>>   * the authentication form is also only shown under these
>>     circumstances.
>>
>>Which is the best way to achieve this?
>>I'm using pmwiki-2.1.11 with AuthUser (with htpasswd file), served by an
>>Apache on a linux box.
>>
>>I'll be grateful for any good advice, hints or suggestions.
>>
>>Have fun,
>>----Daniel
> 
> 
> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://host.pmichaud.com/mailman/listinfo/pmwiki-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Daniel.Frederik.Rubin.vcf
Type: text/x-vcard
Size: 310 bytes
Desc: not available
Url : /pipermail/pmwiki-users/attachments/20060817/015137d8/attachment.vcf 


More information about the pmwiki-users mailing list