[pmwiki-devel] AuthUser farm security
The Editor
editor at fast.st
Tue Jan 9 15:03:04 CST 2007
On 12/19/06, marc <gmane at auxbuss.com> wrote:
> Patrick R. Michaud said...
> > On Mon, Dec 18, 2006 at 05:09:45PM -0000, marc wrote:
> > > Patrick R. Michaud said...
> > > > On Fri, Nov 24, 2006 at 03:13:39PM -0600, JB wrote:
> > > >
> > > > > This page has some information at the very bottom
> > > > > using php code session_name('XYZSESSID');
> > > > >
> > > > > http://www.pmwiki.org/wiki/PmWiki/Passwords
> > > > >
> > > > > So of the three methods above, which is the best?
> > > >
> > > > Only the session name approach really separates things fully.
> > > > The user group approach isn't very clean, and somehow I don't think
> > > > the $CookiePrefix approach will work at all.
> > >
> > > I've just got round to testing the session name approach and failed to
> > > get it to work. The wiki has two fields. As the first line of each
> > > local/config.php I added unique session_name() calls. This resulted in
> > > the session cookies containing identical content, despite the different
> > > names.
> >
> > Unfortunately, if one is loading authuser.php from farmconfig.php
> > (or doing anything else that invokes PHP sessions) then calling
> > session_name() from local/config.php occurs too late, because
> > the session_name has to be set prior to any sessions being opened.
>
> > > > Still, if we can come up with a good way for each wiki on
> > > > a server to receive a unique identifier that it can use for
> > > > the session cookie, that would probably resolve things for
> > > > most people.
I've been studying up on this issue as I'm starting to have several
fields going, and was wondering if a solution was ever developed for
this? Is it something that could be added relatively easily to one of
the betas in 2.2?
I would much prefer to have one instance of PmWiki to deal with
upgrades... But I only have one domain and a bunch of forwarded
url's.
Cheers,
Dan
More information about the pmwiki-devel
mailing list