[pmwiki-users] PmWIki AuthUser/LDAP passwords stored in clear in PHP session files
Christophe David
pmwiki at christophedavid.org
Mon Sep 10 03:43:06 CDT 2007
When using PmWiki with AuthUser/LDAP, the users passwords are stored
in clear in PHP sessions files on the server.
With LDAP, this password is typically used for many
applications/systems, and anyone who has read access to the PHP
session files can obtain the users LDAP password, which is quite
annoying...
By default, in PHP.ini, "session.save_handler" is set to "files".
Changing it to 'mm', as (very poorly) documented, is supposed to store
the session variable in memory. In practice, on Windows 2003/Apache,
the session files cannot be found on disk any longer, but the sessions
do not appear to be stored at all: users have to re-enter their
password for each request.
Is there a way to avoid this, ideally by not storing the users
passwords in clear in sessions, or by configuring PHP not to write the
sessions on disk ?
Thank you in anticipation.
Christophe
More information about the pmwiki-users
mailing list