When using PmWiki with AuthUser/LDAP, the users passwords are stored in clear in PHP sessions files on the server.
With LDAP, this password is typically used for many applications/systems, and anyone who has read access to the PHP session files can obtain the users LDAP password, which is quite annoying... By default, in PHP.ini, "session.save_handler" is set to "files". Changing it to 'mm', as (very poorly) documented, is supposed to store the session variable in memory. In practice, on Windows 2003/Apache, the session files cannot be found on disk any longer, but the sessions do not appear to be stored at all: users have to re-enter their password for each request. Is there a way to avoid this, ideally by not storing the users passwords in clear in sessions, or by configuring PHP not to write the sessions on disk ? Thank you in anticipation. Christophe _______________________________________________ pmwiki-users mailing list pmwiki-users@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-users