[Pmwiki-users] PmWiki password puzzles
John Rankin
john.rankin
Mon Aug 30 18:58:48 CDT 2004
I like #2 because it is easy to explain to users and they don't have
to remember anything special.
I think #2 is slightly friendlier than #3; consider the following:
- a page has different read and edit passwords
- in #3, I have to enter both passwords if I want to read and edit
- in #2, I can enter just the edit password and I will also be able
to read
JR
On Tuesday, 31 August 2004 4:15 AM, Ciaran <ciaranj at gmail.com> wrote:
>I like #2 and #3, although Alex' point is very well made, but that
>could happen by co-incidence anyway ? Its not really more likely to
>occur just because the browser's caching the password, the user would
>instinctivly try their password anyway...
>
>As to keeping track of whether a page is password protected, perhaps
>we could have a variable to use in the template that tells us whether
>they're in password-edit mode or password-read mode etc ?
>- Ciaran
>
>
>On Mon, 30 Aug 2004 16:22:14 +0200, Alexandre Courbot
><alexandre.courbot at lifl.fr> wrote:
>>
>> >>*** Q1: Any one have comments in favor of or against switching to
>> >>session-based authentication as the default?
>> >
>> >
>> > Seems like a good optimization for the common case.
>>
>> I think too. I've just set up the devel version of PmWiki to start a new
>> site, and unfortunately I'm in the case where I can't use HTTP-based
>> authentication. And I don't have a sessionauth script with this version.
>>
>> Anyway, using session-based authentication by default is not really
>> likely to bother people (and if it does, they should be able to include
>> an httpauth script).
>>
>> >> 1. Leave things as they are--someone wanting to avoid the
>> >> alternating edit+read password problem in pages would then set
>> >> the edit password in both the edit and read password fields.
>> >> 2. Have the system assume that a person who knows the edit or
>> >> attribute password is automatically given read permission to a
>> >> page without having to explicitly enter or know the read
>> >> password.
>> >> 3. Have the system cache all of the passwords that have been entered
>> >> during a browser session, and test each page request against the
>> >> set of passwords (so that a user would only have to enter each
>> >> unique password once per browsing session).
>> >>
>> >>*** Q2: But my question is, what should be PmWiki's "default" setup in
>> >>the distributed version?
>> >
>> >
>> > #2 and #3.
>>
>> #2 is good IMO, since the levels are inclusive. #3 might allow a user to
>> have access to a page he shouldn't, if by chance they have the same
>> password (even though the user doesn't know it).
>>
>> Alex.
>> --
>> Alexandre Courbot
>> PhD Student - LIFL/RD2P
>> http://www.lifl.fr/~courbot/
>>
--
JR
--
John Rankin
More information about the pmwiki-users
mailing list