[pmwiki-users] Performance problems with passwords

Petko Yotov 5ko at 5ko.fr
Sat Oct 22 23:53:05 CDT 2016


On 2016-10-23 01:55, Tyler Spivey wrote:
> On 10/21/2016 1:15 AM, Petko Yotov wrote:
>> If I understand correctly, one could set to 'nopass'
>> $DefaultPasswords['admin'] or $DefaultPasswords['upload'] to allow
>> anyone to edit everywhere or to upload. But this is probably unneeded 
>> on
>> the vast majority of the websites running on PmWiki.
> 
> The way I understood it from the documentation was that nopass was used
> as an edit password to allow unprotected editing of a page whose group
> had an edit password, or for editing of a group protected by a site
> password, or unprotecting a page otherwise protected by a password.

For such groups or pages one should now use "@nopass", not "nopass".

But indeed, many years ago the encrypted "nopass" password could be used 
in such places. The snippet ensures backward compatibility for old wiki 
pages.

>> For stats close to the real life usage, you might enable cookies in
>> curl, like most real users will have cookies allowed. The session data
>> for authentication is stored, and the key is send to a browser cookie.
> 
> I tried this, with some interesting results. With $AllowPassword =
> false, my page load times went back to what I would expect (55ms or
> so).
> When I edit a page, the expected password hashing is done to verify my
> edit password.
> Then when I go back, say to the homepage which has no password, it
> still checks passwords, even when the site, group or page doesn't have
> a read password which needs to be checked.

Do you again mean that pmcrypt() is called?

PmWiki will always try to read the current page as well as the 
GroupAttributes page if it exists, and check their passwords. Opening 
the files from the disk will require a few milliseconds, but if no 
"passwdread" attributes are present, there shouldn't be a need to call 
pmcrypt().

If one requires a different authentication logic, one can define the 
$AuthFunction global variable with a custom function that does the 
checking:

   $AuthFunction = "MyPmWikiAuth"; # replacement for PmWikiAuth()
   function MyPmWikiAuth($pagename,$level,$authprompt=true,$since=0){...}

Petko



More information about the pmwiki-users mailing list