On 11/18/2010 10:09 PM, Brion Vibber wrote: > On Thu, Nov 18, 2010 at 11:53 AM, Hiram Clawson<[email protected]> wrote: > > >> Good Morning MediaWiki Fans: >> >> Are there any options to turn on encryption of the password >> from the login page ? Is the login information sent in >> clear text ? >> >> > The only way to send passwords and session cookies securely is to run the > site over HTTPS; see your web server's documentation or your provider's > support pages on how to use HTTPS. > > We experimented briefly in '05 with JavaScript stuff to send salted MD5 > hashes instead of raw passwords which in theory is slightly more secure than > plaintext passwords over HTTP; but this never really worked out and > ultimately still leaves all your session tokens exposed. The web has a good > solution for this problem already, which is to run all authenticated > sessions and authentication information over an encrypted connection. > > There are some options& extensions out there to help direct the login page > over to HTTPS if you need to serve unauthenticated pages over HTTP for > performance reasons, but it'll simplify your life a lot to just go > HTTPS-only. > > -- brion > _______________________________________________ > MediaWiki-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l > I do agree with Brion and implemented the secure login.
Try to login at : http://experimental.wikiation.nl (note this is the http protocol) and see what happens at the login screen. See http://manual.wikiation.nl/Level_2_security_http_for_reading_https_for_editing Example required setting in apache : RewriteEngine On RewriteRule ^/Special:UserLogin(.*) https://experimental.wikiation.nl/Special:UserLogin$1 [R=301,L] And in LocalSettings.php Disable $wgServer Only https would be technical better but confuses the users. Security is important. Good luck. With regards Bernard Hulsman _______________________________________________ MediaWiki-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
