[pmwiki-users] Considerations about security for PmWiki

Dominique Faure dominique.faure at laposte.net
Wed Jan 26 01:04:08 CST 2005


Hi,

I was looking for a mean to change author credentials without closing the
browser, and I just found that the current password is stored in plain
text form into the php session file.

In a nearby topic, few weeks ago someone was complaining here about php
crypt() function used in PmWiki to define passwords but not always
available with every php installations.

Could we have a new or an updated PITS entry about that:
* Being able to choose in config.php the desired hash algorithm to handle
password encryption (md5, sha1 or the one I may have designed).
* Keeping them stored in encrypted form everywhere (even in the session
datas).

BTW, here's an '?action=logout' small hack to make the browser forget
current password. Just paste following code into your config.php:

-----8<---------------------------------------------------------
SDV($HandleActions['logout'], 'HandleLogout');

function HandleLogout($pagename) {
        session_start();
        session_unset();
        if (isset($_COOKIE[session_name()])) {
                setcookie(session_name(), '', time() - 42000, '/');
        }
        session_destroy();
  Redirect($pagename);
}
-----8<---------------------------------------------------------

Best regards,
Dominique




More information about the pmwiki-users mailing list