[pmwiki-users] https only when passwords are needed?

[Lindsay Todd]

Folks:

    I am using pmwiki 2.2.0 beta 31 in a situation where users' 
passwords are more precious than data in the wiki itself.  It is highly 
desirable to protect these passwords using ssl, ideally without 
requiring all communication to pmwiki to use ssl.  (I think I understand 
how to force all usage to be in ssl, if I must.)  I'm not sure how PHP 
or pmwiki session state information is communicated, but I am not too 
worried about session hijacking, as long as this state doesn't last too 
long.

    So I've looked at the SwitchToSSLMode recipe, I've tried catching 
"login" and "edit" actions, and looked at the resulting page source, as 
well as server logs.  What I find that is most URLs are indeed rewritten 
to use the https address.  There is one small exception: the URL to 
which the form is posted is a relative URL.  So this recipe ends up 
encrypting all that I don't need to protect, and leaving in plain text 
the one thing I do need encrypted, the password!

    I tried to add a php customization script for Site.AuthForm that 
changes the definition of $ScriptUrl to $SecureScriptUrl (a variable I 
am using to hold the https path), but it doesn't work.  Looking into the 
code (and I'm not a PHP hacker, so I may be missing something obvious), 
I don't see any place it would call such customization code anyway.  Of 
course, unless I could force this to use an absolute URL for posting the 
form, it was doomed to failure anyway.

    Can anyone suggest any other ideas?  Thank you!

/Lindsay

-- 
R. Lindsay Todd                      email: toddr at rpi.edu
Senior Systems Programmer            phone: 518-276-2605
Rensselaer Polytechnic Institute     fax:   518-276-2809
Troy, NY 12180-3590                  WWW:   http://www.rpi.edu/~toddr

The views, opinions, and judgments expressed in this message are
solely those of the author. The message contents have not been
reviewed or approved by Rensselaer.