[pmwiki-users-fr] PmWIki AuthUser/LDAP passwords stored in clear in PHP session files
pmwiki at christophedavid.org
Mer 29 Aou 02:38:10 CDT 2007
When using PmWiki with AuthUser/LDAP, the users passwords are stored
in clear in PHP sessions files on the server.
With LDAP, this password is typically used for many
applications/systems, and anyone who has read access to the PHP
session files can obtain the users LDAP password, which is quite
By default, in PHP.ini, "session.save_handler" is set to "files".
Changing it to 'mm', as (very poorly) documented, is supposed to store
the session variable in memory. In practice, on Windows 2003/Apache,
the session files cannot be found on disk any longer, but the sessions
do not appear to be stored at all: users have to re-enter their
password for each request.
Is there a way to avoid this, ideally by not storing the users
passwords in clear in sessions, or by configuring PHP not to write the
sessions on disk ?
Thank you in anticipation.
Plus d'informations sur la liste de diffusion pmwiki-users-fr