[pmwiki-users] session for .htpasswd authorization

[Neil Herber]

At 2006-04-25  12:10 PM -0400, Jihwang Yeo is rumored to have said:
>For example, a user logs in at a page at www.mywebsite.com/login
>then moves to a wiki page at www.mywebsite.com/wiki .
>If we use the same .htpasswd file for both pages, I would like to
>avoid users redundantly logging in for wiki.
>Is it possible with the current PmWiki code? Or otherwise
>any good idea?

I have several wikis that are inside realms protected by Apache Basic 
Authentication (BA). I wanted to avoid having users log in to the 
realm and then have to log in again to access the wiki.

Since the user has to log in using BA, I know that by the time they 
reach the wiki, they have been authenticated. What I want to do, is 
have PmWiki recognize the credentials issued by BA and force the 
author name and authenticated ID to the BA username. I do that by 
adding the following to my config.php file:

>## This will set the author field on all requests authenticated by 
>the webserver.
>## It will even override anything the author happens to put in the "Author"
>## box on the edit form.
>if (@$_SERVER['REMOTE_USER']) $Author = $_SERVER['REMOTE_USER'];
>
>## turn on the PmWiki authentication
>     include_once("$FarmD/scripts/authuser.php");
>##if someone has authenticated using Apache BA, then use that for local auth
>     if (@$_SERVER['REMOTE_USER'])
>         AuthUserId($pagename, $_SERVER['REMOTE_USER']);

The only problem this presents is if you restrict content within the 
wiki based on the authenticated ID. For example, if you don't allow 
user "FredSmith"  to see a certain page (by setting the read "attr"), 
when he tries to view that page, PmWiki will ask him for a password. 
I tried to get around this problem by changing the Site.AuthForm to:

>'''Sorry! Your password does not provide access to this page.'''
>If you think this is an error, please contact [[~Neil Herber]].

Does this answer your question at all?


Neil Herber
Corporate info at http://www.eton.ca/