[pmwiki-users] PmWIki AuthUser passwords stored in clear in PHPsession files

Patrick R. Michaud pmichaud at pobox.com
Tue Oct 16 13:06:42 CDT 2007


On Tue, Oct 16, 2007 at 02:16:15PM -0200, Guillermo Calderon - INCO wrote:
> Patrick R. Michaud wrote:
> > To briefly answer the above discussion:  the plan is that PmWiki
> > will change the way it manages passwords so that they aren't held
> > in cleartext in the session data.  In addition, there will be an
> > $EnableSessionPasswords configuration variable that can be used to
> > completely disable PmWiki's storage of passwords in the session.
> 
> I don't understand why you need store passwords in sessions.
> I think that it is not necessary check passwords for a user who was 
> succesfully authenticated and the session is not expired.
> Am I wrong?

Many PmWiki sites (including all of the sites that I run) use 
passwords to protect individual pages as opposed to using 
user-based authorizations.  On such sites there isn't a concept 
of "authenticated user", and authorization is checked by testing
the passwords for a given page against any passwords that have
been entered during the session.

Pm



More information about the pmwiki-users mailing list