[pmwiki-users] PmWIki AuthUser passwords stored in clear in PHPsession files

Patrick R. Michaud pmichaud at pobox.com
Fri Oct 12 14:28:38 CDT 2007


On Fri, Oct 12, 2007 at 08:43:22PM +0200, Christophe David wrote:
> > AFAIK, there's no *simple* mean to solve what you called an issue.
> 
> Indeed, but it does not make it a non-issue ;-)
>
> I would advocate for a reasonable extra effort to at least not *STORE*
> the passwords in clear in PHP session files, even if the "solution" is
> not totally secure.  This would be much better than having nothing
> because we cannot have everything.

Sorry I've been away from this discussion (and others) for a while --
I've had a number of other things going on that have prevented me
from keeping up with email.

To briefly answer the above discussion:  the plan is that PmWiki
will change the way it manages passwords so that they aren't held
in cleartext in the session data.  In addition, there will be an
$EnableSessionPasswords configuration variable that can be used to
completely disable PmWiki's storage of passwords in the session.

I expect these to come out in the next release, hopefully sometime
within the next week.

It's also very likely that 2.2.0 will leave beta within the next
week or two.

Pm



More information about the pmwiki-users mailing list