Patrick R. Michaud wrote: > On Fri, Oct 12, 2007 at 08:43:22PM +0200, Christophe David wrote: > >>>AFAIK, there's no *simple* mean to solve what you called an issue. >> >>Indeed, but it does not make it a non-issue ;-) >> >>I would advocate for a reasonable extra effort to at least not *STORE* >>the passwords in clear in PHP session files, even if the "solution" is >>not totally secure. This would be much better than having nothing >>because we cannot have everything. > > > Sorry I've been away from this discussion (and others) for a while -- > I've had a number of other things going on that have prevented me > from keeping up with email. > > To briefly answer the above discussion: the plan is that PmWiki > will change the way it manages passwords so that they aren't held > in cleartext in the session data. In addition, there will be an > $EnableSessionPasswords configuration variable that can be used to > completely disable PmWiki's storage of passwords in the session. > > I expect these to come out in the next release, hopefully sometime > within the next week. > > It's also very likely that 2.2.0 will leave beta within the next > week or two. > > Pm
I don't understand why you need store passwords in sessions. I think that it is not necessary check passwords for a user who was succesfully authenticated and the session is not expired. Am I wrong? _______________________________________________ pmwiki-users mailing list [email protected] http://www.pmichaud.com/mailman/listinfo/pmwiki-users
