Menu
▾
▴
Re: [Phpwiki-talk] Re: auth prefs
|
From: Joby W. <joby@u.washington.edu> - 2002-10-02 16:15:02
|
Reini Urban wrote: > Joby Walker schrieb: > >> 1) a new login method (currently PUBCOOKIE_LOGIN): this will allow >> end user to use the University of Washington's Pubcookie system. >> When using Pubcookie the end user accesses a web site he is forced to >> authenticate at a central site, and the central login site then >> guarantees the authentication to the web site. Thus the end user's >> password is never available to the web site, and allowing a unified >> login structure for an organization. The only check is that >> $HTTP_SERVER_VARS['REMOTE_USER'] is guaranteed to be set and correct. > > > > I'm against adding this to the default HEAD branch of phpwiki. > I know that some sites do cookie auth, and even we do it in our > internal backoffice, but this is totally insecure. > Why is this more insecure than other methods? Pubcookie follows the kerberos model for single login access, and was the first model accepted by the Internet2's WebISO project: http://middleware.internet2.edu/webiso/ Many universities use a similar login system, and they will become much more common in the near future. More info on UW's Pubcookie: http://www.washington.edu/pubcookie/ If you are worried about stolen cookies, why are we using PHPSessions? They are only 128bit numbers. > But I already added beta support for ALLOW_HTTP_AUTH_LOGIN which > accepts already logged in users. > Unfortunately, ALLOW_HTTP_AUTH_LOGIN is not useful for my purposes. With pubcookie there is no password to go with the $HTTP_SERVER_VARS['REMOTE_USER'] (because only the login server is trusted with passwords), thus as structured a login would be impossible. And you can't allow a REMOTE_USER login with out a password, because then there would be no protection against a user changing to a different account (since none of them have passwords) -- thus the necessity of the WikiUserID == REMOTE_USER (which breaks the administrative account). jbw P.S. Sorry Reini, ment to sent to the whole list... |
