[pmwiki-users] using authuser in wiki farms

Patrick R. Michaud pmichaud at pobox.com
Thu Mar 9 10:25:22 CST 2006


On Thu, Mar 09, 2006 at 05:03:49PM +0100, Marco Ferretti wrote:
> I noticed, in a test wikifarm, that if I log in to a field and then I open, in 
> another firefox's tab or another browser instance on the same machine, 
> another field, I am recognized as already logged in , even if the password 
> file of the second field doesn't contain the user used in the first field.
> 
> Is this expected ?

It's not entirely unexpected.  PmWiki doesn't want to have to check
the username and password with each request (too expensive), so once
someone has authenticated it stores the information in a PHP session.

Unfortunately, this means that if two fields are on the same server,
use the same domain name, and PHP's default session settings, then
the session information gets shared across fields, and authentication
in one field will count for another.

I don't have an entirely satisfactory answer for this at the moment.
One thing that might work would be to give every field a unique
session name -- at the top of each field's local/config.php
file, put a line like:

    session_name('FieldID');

where FieldID is a unique and descriptive name (letters + numbers only)
for each field.  This should tell PHP to keep the sessions separate for
each field.  

It might be nice to have PmWiki be able to generate unique field
IDs on its own, but I don't have a really good way to do that yet.
It probably needs to be based on the current directory somehow.

Let me know if the session_name(...) approach fixes things -- if so,
I may see about putting something into the core distribution

Pm




More information about the pmwiki-users mailing list