[pmwiki-users] How to restrict auth to secure connections
Daniel Rubin
Daniel.Frederik.Rubin at scai.fraunhofer.de
Thu Aug 17 06:58:49 CDT 2006
Michael Brenner wrote:
> Hello Daniel,
> NOT A SOLUTION, just to think about, this code rewrites urls to https(always).
> Maybe you put this into a special condition like "if (authform requested)..."
>
> config.php
> ...
> $ScriptUrl = 'https://'.$_SERVER['HTTP_HOST'].$_SERVER['SCRIPT_NAME'];
> $PubDirUrl = preg_replace('#/[^/]*$#','/pub',$ScriptUrl,1);
> ...
> $UploadDir = preg_replace('#/[^/]*$#','/uploads',
> $_SERVER['SCRIPT_FILENAME'],1); //???
> $UploadUrlFmt = preg_replace('#/[^/]*$#','/uploads',$ScriptUrl,1);;
> ...
>
> keep in mind of sideeffects!
> found this on internetsearch, you may try to ask me questions about this but
> don't expect to much.
>
> hope this help - mik
Hi Mik,
thank you for sharing your thoughts.
What I like about your suggestion is the idea to make sure that auth
data only gets *send* over an encrypted channel. This is essentially
what I was aiming at.
However, in addition to that, I'd like to force the users not to
transmit their credentials insecurely. I want the wiki to just not
accept login data that doesn't come over an encrypted channel or from
the local network. Just too make sure noone tries to work around the
login form. (No idea why someone should want this, but I like clear and
stable solutions.)
Alright, thanks once more! Have fun,
----Daniel
> Am Donnerstag, 17. August 2006 10:27 schrieb Daniel Rubin:
>
>>Greetings, everyone.
>>
>>I'd like to restrict authentication to my wiki such that
>> * login is only permitted from connections via https or from
>> the local network
>> * the authentication form is also only shown under these
>> circumstances.
>>
>>Which is the best way to achieve this?
>>I'm using pmwiki-2.1.11 with AuthUser (with htpasswd file), served by an
>>Apache on a linux box.
>>
>>I'll be grateful for any good advice, hints or suggestions.
>>
>>Have fun,
>>----Daniel
>
>
> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://host.pmichaud.com/mailman/listinfo/pmwiki-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Daniel.Frederik.Rubin.vcf
Type: text/x-vcard
Size: 310 bytes
Desc: not available
Url : /pipermail/pmwiki-users/attachments/20060817/015137d8/attachment.vcf
More information about the pmwiki-users
mailing list