This is not relevant for this topic: we are talking about PHP session
files storing passwords in clear.
The topic isn't necessarily that specific, considering this is the
pmwiki-users list, not pmwiki-devel. First, here's the part you
chopped out...
Sorry if it hurt you.
I have been
On 10/12/07, Maria McKinley [EMAIL PROTECTED] wrote:
Yes, I suppose if they could look at /tmp they could also look at
config.php, and get my admin password, which probably should not be
written out in plain text on the server either.
FWIW cleartext passwords in config.php are avoidable if
On 10/15/07, Christophe David [EMAIL PROTECTED] wrote:
FWIW cleartext passwords in config.php are avoidable if you use
?action=crypt and paste crypted passwords into the file.
This is not relevant for this topic: we are talking about PHP session
files storing passwords in clear.
The topic
On 10/15/07, H. Fox [EMAIL PROTECTED] wrote:
On 10/15/07, Christophe David [EMAIL PROTECTED] wrote:
FWIW cleartext passwords in config.php are avoidable if you use
?action=crypt and paste crypted passwords into the file.
This is not relevant for this topic: we are talking about PHP
AFAIK, there's no *simple* mean to solve what you called an issue.
Indeed, but it does not make it a non-issue ;-)
I don't want to describe all the gory details here (you may see
[1],[2] and the PHP documentation for references), but basically
PmWiki uses the session data as a backup of what
On 10/11/07, Maria McKinley [EMAIL PROTECTED] wrote:
On 10/10/07, Maria McKinley [EMAIL PROTECTED] wrote:
On 10/10/07, Christophe David [EMAIL PROTECTED] wrote:
which temporary file contains the password ?
The path for PHP session files is defined by session.save_path in
php.ini.
On Fri, Oct 12, 2007 at 08:43:22PM +0200, Christophe David wrote:
AFAIK, there's no *simple* mean to solve what you called an issue.
Indeed, but it does not make it a non-issue ;-)
I would advocate for a reasonable extra effort to at least not *STORE*
the passwords in clear in PHP session
On 10/12/07, Dominique Faure [EMAIL PROTECTED] wrote:
On 10/11/07, Maria McKinley [EMAIL PROTECTED] wrote:
On 10/10/07, Maria McKinley [EMAIL PROTECTED] wrote:
On 10/10/07, Christophe David [EMAIL PROTECTED] wrote:
which temporary file contains the password ?
The path for PHP
Indeed, but it does not make it a non-issue ;-)
To briefly answer the above discussion: the plan is that PmWiki
will change the way it manages passwords so that they aren't held
in cleartext in the session data. In addition, there will be an
$EnableSessionPasswords configuration variable
Christophe David wrote :
When using AuthUser, PmWIki stores the user password in clear in a
session variable. Therefore, the user password can be read very
easily by anyone who has access to the server.
which temporary file contains the password ?
I can check my PmWiki/AuthUser/ldap
which temporary file contains the password ?
The path for PHP session files is defined by session.save_path in
php.ini. (phpinfo() should give you the settings on your system.)
Details on http://www.php.net/session .
The files are plain text with all variables stored in clear.
Thank you for
On 10/10/07, Christophe David [EMAIL PROTECTED] wrote:
which temporary file contains the password ?
The path for PHP session files is defined by session.save_path in
php.ini. (phpinfo() should give you the settings on your system.)
Details on http://www.php.net/session .
The files are
On 10/10/07, Maria McKinley [EMAIL PROTECTED] wrote:
On 10/10/07, Christophe David [EMAIL PROTECTED] wrote:
which temporary file contains the password ?
The path for PHP session files is defined by session.save_path in
php.ini. (phpinfo() should give you the settings on your system.)
13 matches
Mail list logo