[pmwiki-users] PmWIki AuthUser passwords stored in clear in PHPsession files

Guillermo Calderon - INCO calderon at fing.edu.uy
Tue Oct 16 11:16:15 CDT 2007


Patrick R. Michaud wrote:
> On Fri, Oct 12, 2007 at 08:43:22PM +0200, Christophe David wrote:
> 
>>>AFAIK, there's no *simple* mean to solve what you called an issue.
>>
>>Indeed, but it does not make it a non-issue ;-)
>>
>>I would advocate for a reasonable extra effort to at least not *STORE*
>>the passwords in clear in PHP session files, even if the "solution" is
>>not totally secure.  This would be much better than having nothing
>>because we cannot have everything.
> 
> 
> Sorry I've been away from this discussion (and others) for a while --
> I've had a number of other things going on that have prevented me
> from keeping up with email.
> 
> To briefly answer the above discussion:  the plan is that PmWiki
> will change the way it manages passwords so that they aren't held
> in cleartext in the session data.  In addition, there will be an
> $EnableSessionPasswords configuration variable that can be used to
> completely disable PmWiki's storage of passwords in the session.
> 
> I expect these to come out in the next release, hopefully sometime
> within the next week.
> 
> It's also very likely that 2.2.0 will leave beta within the next
> week or two.
> 
> Pm

I don't understand why you need store passwords in sessions.
I think that it is not necessary check passwords for a user who was 
succesfully authenticated and the session is not expired.
Am I wrong?





More information about the pmwiki-users mailing list