On Tue, Oct 16, 2007 at 02:16:15PM -0200, Guillermo Calderon - INCO wrote: > Patrick R. Michaud wrote: > > To briefly answer the above discussion: the plan is that PmWiki > > will change the way it manages passwords so that they aren't held > > in cleartext in the session data. In addition, there will be an > > $EnableSessionPasswords configuration variable that can be used to > > completely disable PmWiki's storage of passwords in the session. > > I don't understand why you need store passwords in sessions. > I think that it is not necessary check passwords for a user who was > succesfully authenticated and the session is not expired. > Am I wrong?
Many PmWiki sites (including all of the sites that I run) use passwords to protect individual pages as opposed to using user-based authorizations. On such sites there isn't a concept of "authenticated user", and authorization is checked by testing the passwords for a given page against any passwords that have been entered during the session. Pm _______________________________________________ pmwiki-users mailing list [email protected] http://www.pmichaud.com/mailman/listinfo/pmwiki-users
