[pmwiki-devel] AuthUser farm security

marc gmane at auxbuss.com
Mon Dec 18 11:09:45 CST 2006


Patrick R. Michaud said...
> On Fri, Nov 24, 2006 at 03:13:39PM -0600, JB wrote:
> > Just learned that when logged into one wiki using AuthUser, you
> > have access to all Wiki's in that farm which also use AuthUser.
> 
> This is true only when all of the wikis in the farm have
> the same domain name.
> 
> > This page has some information at the very bottom
> > using php code    session_name('XYZSESSID');
> > 
> >    http://www.pmwiki.org/wiki/PmWiki/Passwords
> > 
> > This page has some information near the bottom with the
> > heading "Ugh - Authentication Sessions and Farms".  It suggests
> > two ways, using a different user group for each farm or using
> > php code    $CookiePrefix = substr($tmp = md5(__FILE__), 0, 5).'_';
> > 
> >    http://www.pmwiki.org/wiki/Cookbook/AuthUser
> > 
> > So of the three methods above, which is the best?
> 
> Only the session name approach really separates things fully.
> The user group approach isn't very clean, and somehow I don't think
> the $CookiePrefix approach will work at all.  

I've just got round to testing the session name approach and failed to 
get it to work. The wiki has two fields. As the first line of each 
local/config.php I added unique session_name() calls. This resulted in 
the session cookies containing identical content, despite the different 
names.

> Still, if we can come up with a good way for each wiki on
> a server to receive a unique identifier that it can use for
> the session cookie, that would probably resolve things for
> most people.

That would be great.

-- 
Best,
Marc




More information about the pmwiki-devel mailing list