[pmwiki-users] can password be embedded into url?; https security

Patrick R. Michaud pmichaud at pobox.com
Thu Jul 12 14:13:59 CDT 2007


On Mon, Jul 09, 2007 at 05:52:00PM -0400, W Randolph Franklin wrote:
> 1. Is it possible to combine a password into the url, so that
> accessing a protected page becomes a 1-step process?  This would
> make it easier for people to access protected pages, say by
> simply clicking on a link in a bookmark list w/o having to
> remember the password.  This would be especially appreciated by
> nontechnical people like upper managers.
> 
> For example, non-wiki pages can already be accessed thus:
> 
>     http://user:password@site.dom/file

Unfortunately, with urls of this form, Apache doesn't pass
the username or password on to any scripts that might make use
of it.  In other words, the username and password work only
for Apache's internal authentication, and not for any scripts
that may be run under Apache.

However, if you're using a .htaccess file or otherwise have
authentication already set up in Apache, then PmWiki's AuthUser 
capabilities may be able to make use of that.  

It's also possible to configure PmWiki to accept usernames
and passwords from a url, as in:

    http://site.dom/pmwiki.php?authid=user&authpw=password

However, this is somewhat insecure, as the username and
password end up being stored in the server's access logs.

Still, if either of these approaches sound promising, let
me know and I'll write up the details as a Cookbook recipe.

> 2. When I access a wiki page with https (to prevent snoopers from
> stealing the password), the browser warns that some info is not
> encrypted?  What info?

If $PubDirUrl is being explicitly set, then generally the warning
is for the .css files and graphic images that are typically
being retrieved on a normal http: connection.  The recommended
solution is to omit the http://site.dom/ part of the url for
$PubDirUrl.

Hope this helps; if there are any more questions, please ask.

Pm



More information about the pmwiki-users mailing list