[pmwiki-users] authuser forcing Author name stopped working?

[Neil Herber]

At 2005-07-07  09:57 PM -0700, H. Fox is rumored to have said:
> > It needs to do something like:
> >
> > if user name on form exists in .htpasswd
> >          if passwords match
> >                  user is authenticated, set author name
> >          else
> >                  user is a spoofer, refuse entry
> >          endif
>
>authuser.php does this automatically.

Not on my system it doesn't!

For example, the username NeilHerber is in .htpasswd with an Apache MD5 
crypted password.
There is a shared read password which is a city name. The shared read 
password is set in config.php as follows:

$DefaultPasswords['read'] = array(crypt('cityname'), 'id:*');

If I enter my name and proper password, everything works just fine.

If I enter my name and the city name as a password, that works too, but 
according to what you say above, it should not. I hoped it would not, 
because it means that any user who knows the shared password can spoof 
being me.

There is a big difference, though. In the case of NeilHerber with proper 
password, $authid gets set to NeilHerber. In the case of NeilHerber with 
cityname password, $authid does not get set. As far as that goes, it is 
appropriate behaviour, because I have not been authenticated in the second 
case.

I will probably not be able to respond further for the next 5 hours, but I 
would like to resolve this if I can. After noon EDT on Friday, I am just 
going to have to live with what is working then, because I will be unable 
to access the server for a while.


Neil

Neil Herber
Corporate info at http://www.eton.ca/
Eton Systems, 15 Pinepoint Drive, Nepean, ON, Canada K2H 6B1
Tel: (613) 829-4668