[pmwiki-users] can password be embedded into url?; https security

H. Fox haganfox at users.sourceforge.net
Tue Jul 10 13:25:10 CDT 2007


On 7/9/07, W Randolph Franklin <pmwiki at wrfranklin.org> wrote:
> Hi,
>
> 1. Is it possible to combine a password into the url, so that
> accessing a protected page becomes a 1-step process?  This would
> make it easier for people to access protected pages, say by
> simply clicking on a link in a bookmark list w/o having to
> remember the password.  This would be especially appreciated by
> nontechnical people like upper managers.
>
> For example, non-wiki pages can already be accessed thus:
>
>     http://user:password@site.dom/file

That's not a very well-protected file!

> 2. When I access a wiki page with https (to prevent snoopers from
> stealing the password), the browser warns that some info is not
> encrypted?  What info?

Images?  Stylesheets?  View the page's source and look for "http:". If
it's a wiki that's part of a farm, make sure $FarmPubDir is a https://
URL.[1]

With a local customization you may be able to do

     https://user:password@site.dom/wiki/Main/HomePage

and have access to the password-protected page.

Be aware that if you do that the content of the page may be encrypted,
but your upper manager's username and password will be sent in the
clear  when the browser requests the page.  Try it and check your
server's logs...

Hagan

[1] http://www.pmwiki.org/wiki/Cookbook/SwitchToSSLMode#farms



More information about the pmwiki-users mailing list