[pmwiki-devel] session contains password in plaintext ?!
Patrick R. Michaud
pmichaud at pobox.com
Fri Nov 24 15:17:28 CST 2006
On Fri, Nov 17, 2006 at 07:31:22AM +0100, pmwiki-devel.10.kompjuta at spamgourmet.com wrote:
> Hello,
>
> is it needed that the session contain the password in plaintext ?
> Should be a loginname in the session enough to validate the
> user/browser combination!?
>
> IsAuthorized() than have to differ two cases:
> 1. session exist->AuthId=loginname
> 2. session not exist-> ask for login+password
>
> No plain passwords are saved on serverside.
For systems running without authuser, the passwords
need to be held locally somewhere to test authentication
against per-page passwords.
Pm
More information about the pmwiki-devel
mailing list