[pmwiki-users] How to restrict auth to secure connections

Daniel Rubin Daniel.Frederik.Rubin at scai.fraunhofer.de
Tue Aug 22 03:16:20 CDT 2006


Michael Brenner wrote:
> A much more rude variant.
> take this into config.php and you will see.
> echo $_SERVER['REMOTE_ADDR'];//works too
> echo $_SERVER['SCRIPT_FILENAME'];
> echo $_SERVER['HTTPS'];
> if($action=='edit'||$action=='login'){echo 'Access denied</br>';exit();}
Thank you, Michael, that looks promising.  I was hoping it would be as 
simple as checking some PHP variable.
However, this solves only half of my problem.  I'm suspecting if login 
was still possible, although not through the login form of my wiki, 
someone *would* try and sneak their credentials in.
I was thinking it might be possible to prevent pmwiki (UserAuth) from 
looking at username/password at all by putting some code in config.php.
E. g., would it suffice to overwrite the requested action, setting it to 
'read' if the user's connection doesn't match my requirements?
Have a nice day,
----Daniel



> Am Donnerstag, 17. August 2006 18:19 schrieb Michael Brenner:
> 
>>I think, I understand your question now, you want to block login-form if
>>it's requested from insecure source (not https nor localip). Am I right?
>>
>>Put somehow a condition into Site.AuthForm using
>>(:if enabled VAR:) while VAR is a php-variable you set in config.php
>>unluckily (:if:) doesn't seem to work the usual way in Site.AuthForm (?)
>>
>>Am Donnerstag, 17. August 2006 15:17 schrieb Daniel Rubin:
>>
>>>Patrick R. Michaud wrote:
>>>
>>>>On Thu, Aug 17, 2006 at 10:27:06AM +0200, Daniel Rubin wrote:
>>>>
>>>>>Greetings, everyone.
>>>>>
>>>>>I'd like to restrict authentication to my wiki such that
>>>>> * login is only permitted from connections via https or from
>>>>>   the local network
>>>>> * the authentication form is also only shown under these
>>>>>   circumstances.
>>>>>
>>>>>Which is the best way to achieve this?
>>>>
>>>>So, if someone attempts to access a protected resource from a
>>>>non-https connection, you want the system to just return a
>>>>"forbidden" response, or ...?
>>>>
>>>>Pm
>>>
>>>Not exactly.  I only want the _login_ to be rejected if it comes from an
>>>insecure source.
>>>
>>>To be precise,
>>>  (1) AuthUser should not honor any username and password posts
>>>  (2) instead of the login form it should return a rejection message.
>>>
>>>Thanks,
>>>----Daniel
>>
>>_______________________________________________
>>pmwiki-users mailing list
>>pmwiki-users at pmichaud.com
>>http://host.pmichaud.com/mailman/listinfo/pmwiki-users
> 
> 
> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://host.pmichaud.com/mailman/listinfo/pmwiki-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Daniel.Frederik.Rubin.vcf
Type: text/x-vcard
Size: 310 bytes
Desc: not available
Url : /pipermail/pmwiki-users/attachments/20060822/45d5ca55/attachment.vcf 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3775 bytes
Desc: S/MIME Cryptographic Signature
Url : /pipermail/pmwiki-users/attachments/20060822/45d5ca55/attachment.bin 


More information about the pmwiki-users mailing list