[pmwiki-users] authuser forcing Author name stopped working?
Neil Herber
nospam at eton.ca
Fri Jul 8 00:30:36 CDT 2005
At 2005-07-07 09:57 PM -0700, H. Fox is rumored to have said:
> > It needs to do something like:
> >
> > if user name on form exists in .htpasswd
> > if passwords match
> > user is authenticated, set author name
> > else
> > user is a spoofer, refuse entry
> > endif
>
>authuser.php does this automatically.
Not on my system it doesn't!
For example, the username NeilHerber is in .htpasswd with an Apache MD5
crypted password.
There is a shared read password which is a city name. The shared read
password is set in config.php as follows:
$DefaultPasswords['read'] = array(crypt('cityname'), 'id:*');
If I enter my name and proper password, everything works just fine.
If I enter my name and the city name as a password, that works too, but
according to what you say above, it should not. I hoped it would not,
because it means that any user who knows the shared password can spoof
being me.
There is a big difference, though. In the case of NeilHerber with proper
password, $authid gets set to NeilHerber. In the case of NeilHerber with
cityname password, $authid does not get set. As far as that goes, it is
appropriate behaviour, because I have not been authenticated in the second
case.
I will probably not be able to respond further for the next 5 hours, but I
would like to resolve this if I can. After noon EDT on Friday, I am just
going to have to live with what is working then, because I will be unable
to access the server for a while.
Neil
Neil Herber
Corporate info at http://www.eton.ca/
Eton Systems, 15 Pinepoint Drive, Nepean, ON, Canada K2H 6B1
Tel: (613) 829-4668
More information about the pmwiki-users
mailing list