[pmwiki-users] RSS feeds and passwords

Patrick R. Michaud pmichaud at pobox.com
Mon Nov 12 11:10:21 CST 2007


On Fri, Nov 09, 2007 at 09:52:50AM -0600, Jon Haupt wrote:
> On Jan 19, 2007 12:09 PM, Patrick R. Michaud <pmichaud at pobox.com> wrote:
> > Lastly, it's also possible to configure the webfeeds to obtain
> > the authentication information from the url directly, as in:
> >
> >     .../Site/AllRecentChanges?action=rss&authpw=secret
> >
> > The big downside to this is that the cleartext password will
> > end up travelling across the net with every RSS request, and
> > may end up being recorded in Apache's access logs.
> 
> I've been thinking about this question of RSS feeds for a while,
> unhappy with the idea of sending passwords as plain text and also not
> thrilled with the $EnablePageListProtect option.  I've noticed that
> some applications are creating secret keys by encoding
> username/password information and handing this out for subscription --
> see Google Calendar, FriendFeed, and many others.  How difficult would
> it be to get PmWiki to accept an encrypted password in a URL instead
> of the plain text password?

It depends on what you mean by "encrypted password".  No matter
the form of the password (encrypted or cleartext), anyone who is 
able to obtain the authpw= parameter of the url would be able to use 
that value to access the RSS feed.

It is possible, however, to set up RSS-only passwords -- i.e.,
passwords that provide access to the RSS feed(s) but not to
anything else.

Pm



More information about the pmwiki-users mailing list