[pmwiki-users] security (again!)

Olle ollebe at student.chalmers.se
Sat Mar 7 17:09:45 CST 2009


On Saturday 07 March 2009 22.40.45 James M wrote:
> Thanks for the suggestion Guillermo.  I copied your lines of code into
> config.php and it makes no difference when I go to login.
> Is there anthing I'm missing?
>

It probably works fine, it's just that you don't notice any difference. Only 
when you click on Login is your password sent through HTTPS. 

But, the login page itself should be fetched with HTTPS as well. Otherwise, 
the user can't tell if the login form is an attempt to steal passwords, or if 
it's the Real Thing. 

So i suggest somehow changing the links and redirects that points to the login 
page, so that they str_replace http with https. I did something along those 
lines with our student society's wiki, (by modifying the UserAuth2 recipe), 
and it works... reasonably. Just like the rest of Pmwiki. ;-)

/Olle Bergkvist

> Thanks,
> James
>
>
> On Fri, Mar 6, 2009 at 6:51 PM, Guillermo Calderon - INCO <
>
> calderon at fing.edu.uy> wrote:
> > James M escribió:
> > > It seems that the login pages on pmwiki are `en clair' (unencrypted -
> > > eg not https). Is there any way around this, apart from hosting the
> > > whole site on https ?
> > > The IT guru who guards our servers at university is unhappy about
> > > having pmwiki installed where passwords are transmitted without being
> > > encrypted.
> >
> > In a previous message I wrote this:
> >
> > ===============
> > I have implemented a simple solution where only passwords are sent
> >    via SSL and the other posts are sent via http.
> >
> > In config.php:
> >
> > SDVA($InputTags['auth_form'], array(
> >     ':html' => "<form
> >         
> > action='https://{$_SERVER['HTTP_HOST']}{$_SERVER['REQUEST_URI']}'
> > method='post'
> >          name='authform'>\$PostVars"));
> >
> > This way the action field of the auth-form sends  all the information
> > via https.
> > ============================
> >
> >
> > _______________________________________________
> > pmwiki-users mailing list
> > pmwiki-users at pmichaud.com
> > http://www.pmichaud.com/mailman/listinfo/pmwiki-users





More information about the pmwiki-users mailing list