[pmwiki-devel] AuthUser farm security

Patrick R. Michaud pmichaud at pobox.com
Mon Dec 18 11:47:21 CST 2006


On Mon, Dec 18, 2006 at 05:09:45PM -0000, marc wrote:
> Patrick R. Michaud said...
> > On Fri, Nov 24, 2006 at 03:13:39PM -0600, JB wrote:
> > > Just learned that when logged into one wiki using AuthUser, you
> > > have access to all Wiki's in that farm which also use AuthUser.
> > 
> > This is true only when all of the wikis in the farm have
> > the same domain name.
> > 
> > > This page has some information at the very bottom
> > > using php code    session_name('XYZSESSID');
> > > 
> > >    http://www.pmwiki.org/wiki/PmWiki/Passwords
> > > 
> > > This page has some information near the bottom with the
> > > heading "Ugh - Authentication Sessions and Farms".  It suggests
> > > two ways, using a different user group for each farm or using
> > > php code    $CookiePrefix = substr($tmp = md5(__FILE__), 0, 5).'_';
> > > 
> > >    http://www.pmwiki.org/wiki/Cookbook/AuthUser
> > > 
> > > So of the three methods above, which is the best?
> > 
> > Only the session name approach really separates things fully.
> > The user group approach isn't very clean, and somehow I don't think
> > the $CookiePrefix approach will work at all.  
> 
> I've just got round to testing the session name approach and failed to 
> get it to work. The wiki has two fields. As the first line of each 
> local/config.php I added unique session_name() calls. This resulted in 
> the session cookies containing identical content, despite the different 
> names.

Unfortunately, if one is loading authuser.php from farmconfig.php
(or doing anything else that invokes PHP sessions) then calling
session_name() from local/config.php occurs too late, because
the session_name has to be set prior to any sessions being opened.

> > Still, if we can come up with a good way for each wiki on
> > a server to receive a unique identifier that it can use for
> > the session cookie, that would probably resolve things for
> > most people.
> 
> That would be great.

Any ideas?  All of the ones I can come up with are pretty icky
and/or not very reliable.

Pm



More information about the pmwiki-devel mailing list