On 10/11/07, Maria McKinley <[EMAIL PROTECTED]> wrote: > On 10/10/07, Maria McKinley <[EMAIL PROTECTED]> wrote: > > On 10/10/07, Christophe David <[EMAIL PROTECTED]> wrote: > > > > which temporary file contains the password ? > > > > > > The path for PHP session files is defined by "session.save_path" in > > > php.ini. (phpinfo() should give you the settings on your system.) > > > > > > Details on http://www.php.net/session . > > > > > > The files are plain text with all variables stored in clear. > > > > > > Thank you for your help. > > > > > > Christophe > > > > > > > This is definitely a problem, thanks for pointing it out. On my > > system, it saves to /tmp, which is not readable from the web, but > > still a bad idea. The trick is to encrypt it. I tried the code below > > in my config.php, but I must not have the syntax correct. Maybe > > someone with more php knowledge can help us out: > > > > $DefaultPasswords['edit'] = crypt('id:*'); > > > > cheers, > > maria > > > > After further investigation, I don't think the problem is syntax. I > think the encryption was set up to work with the pmwiki authorization > stuff, and it just doesn't work with ldap. I think ldap doesn't have > the ability to unencrypt the password, and I'm not sure how to fix > that... > > cheers, > maria >
AFAIK, there's no *simple* mean to solve what you called an issue. I don't want to describe all the gory details here (you may see [1],[2] and the PHP documentation for references), but basically PmWiki uses the session data as a backup of what the user typed in the password field, which then could be re-used as is by all the auth chain each time a new wiki page is requested (submitted with or whithout preliminary encryption to the configured auth scheme as required). So, encrypting the session data would require to use a two-way encryption cypher and a dedicated password in order to be able to retrieve the original data. Then, where would you store this password? Corollary question: If someone is able to look at your session datas, how could you prevent him to have also a look at your config.php? Finally, did you know that the password you entered in the auth field was sent without any encryption from your browser to the server hosting your wiki? [1] http://www.faqs.org/rfcs/rfc2616.html [2] http://www.faqs.org/rfcs/rfc2965.html -- Dominique _______________________________________________ pmwiki-users mailing list [email protected] http://www.pmichaud.com/mailman/listinfo/pmwiki-users
