[pmwiki-users] security (again!)

James M jamesm1415 at googlemail.com
Sun Mar 8 09:44:39 CDT 2009 

Thanks Olle - I understand now.
Patrick: isn't this something that could/should be built in to pmwiki, or at
least to AuthUser ?

Thanks, James


On Sat, Mar 7, 2009 at 11:09 PM, Olle <ollebe at student.chalmers.se> wrote:

> On Saturday 07 March 2009 22.40.45 James M wrote:
> > Thanks for the suggestion Guillermo.  I copied your lines of code into
> > config.php and it makes no difference when I go to login.
> > Is there anthing I'm missing?
> >
>
> It probably works fine, it's just that you don't notice any difference.
> Only
> when you click on Login is your password sent through HTTPS.
>
> But, the login page itself should be fetched with HTTPS as well. Otherwise,
> the user can't tell if the login form is an attempt to steal passwords, or
> if
> it's the Real Thing.
>
> So i suggest somehow changing the links and redirects that points to the
> login
> page, so that they str_replace http with https. I did something along those
> lines with our student society's wiki, (by modifying the UserAuth2 recipe),
> and it works... reasonably. Just like the rest of Pmwiki. ;-)
>
> /Olle Bergkvist
>
> > Thanks,
> > James
> >
> >
> > On Fri, Mar 6, 2009 at 6:51 PM, Guillermo Calderon - INCO <
> >
> > calderon at fing.edu.uy> wrote:
> > > James M escribió:
> > > > It seems that the login pages on pmwiki are `en clair' (unencrypted -
> > > > eg not https). Is there any way around this, apart from hosting the
> > > > whole site on https ?
> > > > The IT guru who guards our servers at university is unhappy about
> > > > having pmwiki installed where passwords are transmitted without being
> > > > encrypted.
> > >
> > > In a previous message I wrote this:
> > >
> > > ===============
> > > I have implemented a simple solution where only passwords are sent
> > >    via SSL and the other posts are sent via http.
> > >
> > > In config.php:
> > >
> > > SDVA($InputTags['auth_form'], array(
> > >     ':html' => "<form
> > >
> > > action='https://{$_SERVER['HTTP_HOST']}{$_SERVER['REQUEST_URI']}'
> > > method='post'
> > >          name='authform'>\$PostVars"));
> > >
> > > This way the action field of the auth-form sends  all the information
> > > via https.
> > > ============================
> > >
> > >
> > > _______________________________________________
> > > pmwiki-users mailing list
> > > pmwiki-users at pmichaud.com
> > > http://www.pmichaud.com/mailman/listinfo/pmwiki-users
>
>
>
> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://www.pmichaud.com/mailman/listinfo/pmwiki-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.pmichaud.com/pipermail/pmwiki-users/attachments/20090308/3410caad/attachment.html

More information about the pmwiki-users mailing list