[pmwiki-users] RSS & password-protected pages

Patrick R. Michaud pmichaud at pobox.com
Wed Oct 18 09:05:22 CDT 2006


On Wed, Oct 18, 2006 at 03:52:02PM +0200, Mike wrote:
> Great, thanks a lot.
> 
> It's documented now on
> http://www.pmwiki.com/wiki/PmWiki/PageVariables

Hmm, I think this might be more appropriate as a recipe.

In the general case I'm not sure that something like
{$AuthPw} is a good idea, as it means that passwords end 
up being stored in the clear in page caches and browser 
bookmarks.  So, if it's used, there ought to be appropriate
security caveats around it.

Perhaps the best approach would be to have a cookbook recipe
that describes ways of dealing with password-protected RSS
feeds, since the question does arise somewhat frequently.
Then that recipe could offer {$AuthPw} as a way of providing
a password to feed links, and we could have links to the
recipe from the WebFeeds and PageVariables documentation
(e.g., in the FAQ sections for each).

Pm

> Patrick R. Michaud wrote on 18.10.2006 15:45:
> > On Wed, Oct 18, 2006 at 12:28:38PM +0200, Mike wrote:
> >> Patrick R. Michaud wrote on 18.10.2006 07:03:
> >>> While the PHP code does know the cleartext passwords that have been
> >>> entered for a session, it doesn't really know which one is the
> >>> "correct"
> >>> one.  Still, we could possibly have a custom {$AuthPw} variable that
> >>> returns the last password enetered, and maybe that would be good
> >>> enough.
> >>
> >> I think I figured it out after all:
> >>
> >> session_start();
> >> if (!empty($_POST['authpw'])){
> >> 	$_SESSION['storeauthpw'] = $_POST['authpw'];
> >> }
> >> 	$FmtPV['$AuthPw'] = $_SESSION['storeauthpw'];
> >>
> >> does the trick quite well!
> > 
> > This works, although one could run into issues with certain
> > passwords triggering some unwanted behaviors in $FmtPV.  
> > Perhaps the following instead, which returns the last password
> > entered:
> > 
> >     $FmtPV['$AuthPw'] = 'reset(array_keys((array)@$_SESSION["authpw"]))';
> > 
> > Pm
> > 
> 




More information about the pmwiki-users mailing list