Christophe David wrote: > This question was already posted in August, but did not receive any > answer. Same player shoots again ;-) > > PHP stores session data to temporary files on the server. These files > contain in clear all the session variables and their values. > > When using AuthUser, PmWIki stores the user password in clear in a > session variable. Therefore, the user password can be read very > easily by anyone who has access to the server. > > This is especially annoying when using LDAP, as the user password is > typically used to authenticate on several systems. Therefore, the use > of PmWiki with LDAP creates a security issue for the other systems > using LDAP. > > Any idea how to avoid this ?
Maybe I just don't understand the problem, but if you use a secure authentication method other than the built-in PmWiki passwords, I can't see how PHP or PmWiki can know the password. For example, on my protected wikis I use Apache BA to authenticate the users. PmWiki only has to look at the authenticated user name to grant or deny access. There is no way I can see that it has access to the password. -- Neil Herber Corporate info at http://www.eton.ca/ _______________________________________________ pmwiki-users mailing list [email protected] http://www.pmichaud.com/mailman/listinfo/pmwiki-users
