Re: [Phpwiki-talk] Re: [phpwiki-checkins] CVS: phpwiki/lib WikiUserNew.php,NONE,1.1

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

> Joby Walker schrieb:
>> If I am mistaken about what you are storing in the cookie ... then
>> ignore.  But I am quite worried about this development.
>
> Well, I'm not so concerned about security with this password issue,
> since it's only a wiki. nothing serious.

I've just read the section of code allowing me to use the imap
authentication feature, which means my wiki passwords will be the same as
my users' imap passwords - therefore the same as their account passwordson
my mail server.  The risk of having those passwords stored remotely or
passed over an insecure connection is a bit of a concern.

PHPWiki runs well over an SSL connection, right?

> If I store sensitive data in cookies I do a symeteric encryption with a
> secret key at the host, generated at install time.

Where's that part of the code?  I want to make sure it's being run like it
should on %post in the RPM as well.

> but it's true that certain pref data shouldn't be stored in cookies:
> passwd (for security), email (. just the basic prefs for username and
> layout.
> otherwise the user has to create a homepage.
> okay?

Okay.  Phew.  Thanks.