[pmwiki-users] How to restrict auth to secure connections

Bart pmwiki-users at mediamatrix.nl
Tue Sep 5 05:58:52 CDT 2006

Hi Daniel, 

Thanks for your reply, it's good to read that this was where you where
after. Note that only hiding the login action is not a security measure. You
really need to switch off the actions in config.php as described. This
prevents also the smart user that append ?action=login to login via http.

Please feel free to drop a line how this works out for you. 

Happy wiking, Bart

On Tue, Sep 05, 2006 at 10:14:06AM +0200, Daniel Rubin wrote:
| Hi Bart,
| and first of all:  Thanks for this detailed and enlightening post!
| It seems you have just given me the tools I need to do what I want.
| The config.php stuff looks just right:  This is exactly what I was after.
| Not showing the edit, attach, etc. action links when not authenticated 
| was something I had figured out for myself, too, but the hiding of the 
| login action when without https is a nice extra.
| So, thanks again, I will try to implement this this afternoon and drop a 
| short note to the list about how it worked out.
| Have fun,
| ----Daniel
| Bart wrote:
| >Hi Daniel, 
| >
| >On Thu, Aug 31, 2006 at 09:48:28AM +0200, Daniel Rubin wrote:
| >| Hi Bart,
| >| please forgive for letting you wait so long for an answer.  I was out of 
| >| work for a couple of days and only just read your message.
| >| 
| >| What you propose really looks like a fine concept, but unfortunately 
| >| doesn't suit me needs (as far as I can see).  Using the apache 
| >| authentication would cause a login dialog to pop up on any access to the 
| >| wiki, wouldn't it?  
| >
| >Actually it won't, once authenticated it's valid for the whole browse
| >session. But, I left the concept of passing the apache authentication to
| >pmwiki, cause Pmwiki authentication is much more transparent to set in a
| >mixed Pmwiki http, https enviorment.
| >
| >| But I want anybody to be able to view wiki pages without any fuzz, to 
| >have
| >| a somehow CMS-like behavior of the wiki engine. All I want to do is to
| >| ensure that people who have valid login credentials don't expose them by
| >| logging in through an insecure connection.
| >
| >I worked out the next set up:
| >
| >PmWiki reachable via http for browsing, no action links visible, actions
| >not working when appended to the URL
| >Pmwiki reachable via https for editing login via Apache or Pmwiki which way
| >you like best. 
| >
| >| I was thinking it should be possible to achieve my goal by a few simple 
| >| lines in config.php.  Is there a $_SERVER variable indicating whether a 
| >| request is from an https connection or not?  I believe I saw something 
| >| concerning the originating IP address, so that would solve halve my 
| >problem.
| >
| >For apache there is : $_SERVER["HTTPS"] which is "on" if connecting via 
| >https
| >and which is the key for my setup. Be aware this can be server specific. So
| >if things don't work the variable is probably not present or set by the
| >webserver.
| >
| >| And maybe I could use the AuthUserId function you mentioned in your 
| >| quote from the cookbook, to cancel an authentication after I worked out 
| >| it is illegal because of its source?
| >
| >Actually there is a way that is much easier and straight forward to do :-)
| >
| >for your: config.php
| >
| ># switch of action if not on https
| >if (!@strtolower($_SERVER["HTTPS"]) == 'on'){
| >$HandleActions['edit'] = '';
| >$HandleActions['upload'] = '';
| >$HandleActions['attr'] = '';
| >$HandleActions['source'] = '';
| >$HandleActions['rename'] = '';
| >$HandleActions['login'] = '';
| >}
| >
| >This switches off all the actions listed when not using https, so people
| >can't reach the login form anymore when using http. Just try it by 
| >appending
| >?action=login or a other action on a page displayed via http. Pmwiki just
| >returns the page in browse view. 
| >
| >Thanks to Pm for pointing this out in one of his posted on this list :-)
| >
| >Hiding the the actions links to get a kind of CMS look, can be done in more
| >than one way. There are even recipes in the cookbook doing this for you.
| >However I liked to figure how to this myself :-)
| >
| >It's not that hard :-) Edit Site.PageActions and precede the actions list
| >with: (:if authid:) or you can use (:if auth edit:) or (:if auth admin:) 
| >and
| >the like to show only the links one is authenticated for.
| >
| >I also did set up a separate Login link at the end of the list,  because 
| >the
| >other links are hidden when not logged in. It'll only shows up when using
| >https
| >
| >(:if equal {$https} on :)
| >* %item rel=nofollow class=rename 
| >accesskey=$[ak_login]%[[{$FullName}?action=login | $[Login] ]]
| >
| >And presto! on http the site looks like static site no links no way to
| >evoke a login form. On https there's a login link. Once logged in the other
| >action links show up :-)
| >
| >Be aware of the (:if :) behavior the do not nest. Just read
| >http://pmwiki.org/wiki/PmWiki/ConditionalMarkup for good explanation on 
| >this.
| >
| >
| >Good luck, Bart 
| >
| >
| >
| >_______________________________________________
| >pmwiki-users mailing list
| >pmwiki-users at pmichaud.com
| >http://www.pmichaud.com/mailman/listinfo/pmwiki-users

More information about the pmwiki-users mailing list