[pmwiki-users] PmWIki AuthUser passwords stored in clear in PHPsession files
Patrick R. Michaud
pmichaud at pobox.com
Tue Oct 16 13:06:42 CDT 2007
On Tue, Oct 16, 2007 at 02:16:15PM -0200, Guillermo Calderon - INCO wrote:
> Patrick R. Michaud wrote:
> > To briefly answer the above discussion: the plan is that PmWiki
> > will change the way it manages passwords so that they aren't held
> > in cleartext in the session data. In addition, there will be an
> > $EnableSessionPasswords configuration variable that can be used to
> > completely disable PmWiki's storage of passwords in the session.
>
> I don't understand why you need store passwords in sessions.
> I think that it is not necessary check passwords for a user who was
> succesfully authenticated and the session is not expired.
> Am I wrong?
Many PmWiki sites (including all of the sites that I run) use
passwords to protect individual pages as opposed to using
user-based authorizations. On such sites there isn't a concept
of "authenticated user", and authorization is checked by testing
the passwords for a given page against any passwords that have
been entered during the session.
Pm
More information about the pmwiki-users
mailing list