[pmwiki-users] PmWIki AuthUser/LDAP passwords stored in clear in PHP session files

Christophe David pmwiki at christophedavid.org
Mon Sep 10 03:43:06 CDT 2007


When using PmWiki with AuthUser/LDAP, the users passwords are stored
in clear in PHP sessions files on the server.

With LDAP, this password is typically used for many
applications/systems, and anyone who has read access to the PHP
session files can obtain the users LDAP password, which is quite
annoying...

By default, in PHP.ini, "session.save_handler" is set to  "files".

Changing it to 'mm', as (very poorly) documented, is supposed to store
the session variable in memory.  In practice, on Windows 2003/Apache,
the session files cannot be found on disk any longer, but the sessions
do not appear to be stored at all: users have to re-enter their
password for each request.

Is there a way to avoid this, ideally by not storing the users
passwords in clear in sessions, or by configuring PHP not to write the
sessions on disk ?

Thank you in anticipation.

Christophe



More information about the pmwiki-users mailing list