[pmwiki-users] Password Anomaly

Patrick R. Michaud pmichaud at pobox.com
Sun Feb 20 17:08:32 CST 2005


On Sun, Feb 20, 2005 at 07:32:59PM +0000, Hans wrote:
> Sunday, February 20, 2005, 7:13:26 PM, Hans wrote:
> > This seems to be a serious security breech in Firefox.
> 
> Or not?
> 
> I did some more tests, and found that there were two cookies set with
> name PHPSESSID, one of which was set to expire at the ned of the
> browser session, the other in a years time (10 Feb 2006). when i
> deleted this last cookie and exited firefox, and then restarted
> firefox, the password dialogue came up.

Hmm.  This actually may be a configuration outside of PmWiki.
PmWiki's authentication routines simply call session_start(), they
don't set any parameters or requirements on them.  Thus, if a PHP
environment has been configured with the session.cookie_lifetime
configuration option set to a value other than zero (PHP's default), 
then it's entirely possible that the passwords will be remembered
beyond a browser close.  (To check: set $EnableDiag=1; in config.php,
browse to a page with ?action=phpinfo, and look for the 
session.cookie_lifetime setting.)

Also, if there are other PHP scripts being run from the same domain,
they may set session cookies that have different expiration times
or values from the one that PmWiki is using, and that could be
confusing things slightly.

Pm



More information about the pmwiki-users mailing list