Authentication is evil

Help
Joe Naylor
2004-09-27
2012-10-11
  • Joe Naylor

    Joe Naylor - 2004-09-27

    The only authentication that seems to work is PersonalPage, and only if the wiki is completely open. I really need my wiki to be secure, but all forms of secure authentication fail.

    Using HttpAuth, if two people log in using the same machine, the wiki occasionally changes the person logged in to be the other login. So you can log in as 'bob', click a link and notice that now you're logged in as 'john'.

    Using PersonalPage you can log in and create an account, but if anonymous users aren't allowed you can never create an account - even if bogo logins are allowed - it always says "Insufficient Permissions".

    Using database authentication, you can define a series of SQL statements to query from another database, but the wiki apparently loses contact with the wiki database and gives database errors when loading a page.

    IMAP, POP3, and LDAP all fail, even though I have all three running on the localhost. No indication why.

    File authentication recognizes the login, but loses the session. You have to login on every page. I tried setting USE_DB_SESSION = true and false, sessions are created in the database but apparently aren't used.

    I expected at least one out of seven to work, but they're all broken somehow. I haven't had problems with logins or sessions in any other PHP application, this is the only one.

    I thought I'd just implement a simple htaccess username and password to the directory while I figure it out, but the wiki randomly changes the logged-in user to be the htaccess username when you click a link. It's very frustrating.

    I'm at wits end. I've been struggling with this for a couple of weeks, I have three wiki sites to configure and two of them require authentication. The third, that doesn't require authentication, is working like a champ.

    Any ideas at all would be greatly appreciated. Really!

    I'm using Apache 1.3.27, PHP 4.3.8, and PostgreSQL 7.4.2.

    Yippy

     
    • Roger

      Roger - 2004-10-06

      <quote>Using HttpAuth, if two people log in using the same machine, the wiki occasionally changes the person logged in to be the other login. So you can log in as 'bob', click a link and notice that now you're logged in as 'john'.</quote>

      This is normal behavior in my view if you use the same browser. But if Bob uses Firefox and John IE, it shouldn't be a problem. I've heard that when you use IE and don't open a new window via Ctrl-N, but clicking the desktop icon of IE, that sessions will be separate, but I don't know if that's true and how reliable that is. Whether this works for Firefox or Opera I don't know.

       
      • Reini Urban

        Reini Urban - 2004-10-06

        yes, this is only a browser issue.
        normally sessions id's are transported in cookies if the browser accepts cookies.
        if not is appended to the url.

        if your cookies are shared you will be in a mess.

         
    • Joe Naylor

      Joe Naylor - 2004-10-12

      If you log in as Bob, then log out and close your browser, then launch a new browser and log in as John, it should not change you back to Bob, but it does.

      It could be my browser, I'm using Firefox on Linux.

      If you turn off HttpAuth and use something like PersonalPage, but have used HttpAuth in the past, it will still change your login when you reach a page you viewed as a different user with HttpAuth enabled.

      It's very frustrating. After turning off HttpAuth, I had to log in and view every page I viewed before, logging out and back in to reset the name. Luckily it wasn't that many as I was just installing phpWiki.

       
    • Reini Urban

      Reini Urban - 2004-10-14

      IFAIK http auth is evil per se, for multiple users on the same account (on the same machine).

      This is not related to php.
      But I stand corrected, and will fix that if someone will come up with a solution.
      But not if someone posts a random message to this help forum. no one will notice that.

       

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks