[pmwiki-users] Considerations about security for PmWiki
Dominique Faure
dominique.faure at laposte.net
Wed Jan 26 01:04:08 CST 2005
Hi,
I was looking for a mean to change author credentials without closing the
browser, and I just found that the current password is stored in plain
text form into the php session file.
In a nearby topic, few weeks ago someone was complaining here about php
crypt() function used in PmWiki to define passwords but not always
available with every php installations.
Could we have a new or an updated PITS entry about that:
* Being able to choose in config.php the desired hash algorithm to handle
password encryption (md5, sha1 or the one I may have designed).
* Keeping them stored in encrypted form everywhere (even in the session
datas).
BTW, here's an '?action=logout' small hack to make the browser forget
current password. Just paste following code into your config.php:
-----8<---------------------------------------------------------
SDV($HandleActions['logout'], 'HandleLogout');
function HandleLogout($pagename) {
session_start();
session_unset();
if (isset($_COOKIE[session_name()])) {
setcookie(session_name(), '', time() - 42000, '/');
}
session_destroy();
Redirect($pagename);
}
-----8<---------------------------------------------------------
Best regards,
Dominique
More information about the pmwiki-users
mailing list