Menu
▾
▴
Re: [Phpwiki-talk] Re: auth prefs
|
From: Reini U. <ru...@x-...> - 2002-10-02 17:46:37
|
Joby Walker schrieb: > Reini Urban wrote: >> Joby Walker schrieb: >> >>> 1) a new login method (currently PUBCOOKIE_LOGIN): this will allow >>> end user to use the University of Washington's Pubcookie system. >>> When using Pubcookie the end user accesses a web site he is forced to >>> authenticate at a central site, and the central login site then >>> guarantees the authentication to the web site. Thus the end user's >>> password is never available to the web site, and allowing a unified >>> login structure for an organization. The only check is that >>> $HTTP_SERVER_VARS['REMOTE_USER'] is guaranteed to be set and correct. >> >> I'm against adding this to the default HEAD branch of phpwiki. >> I know that some sites do cookie auth, and even we do it in our >> internal backoffice, but this is totally insecure. > > Why is this more insecure than other methods? Oops. I mixed that up with our local php cookie login systems, which I had to fix. pubcookie seems to be a good thing. So why not? Seems not too hard to support in phpwiki, but requires lots of changes in apache. I'll have a look. http://www.washington.edu/computing/pubcookie/uwash-mod-1.77.html How do you detect this pubcookie session with PHP besides $_ENV['REMOTE_USER'] and $_COOKIE[PUBCOOKIE_NetID]? http://www.washington.edu/computing/web/publishing/uwnetid.html REFERER? Maybe any SSL var? > Pubcookie follows the kerberos model for single login access, and was > the first model accepted by the Internet2's WebISO project: > > http://middleware.internet2.edu/webiso/ > > Many universities use a similar login system, and they will become much > more common in the near future. > > More info on UW's Pubcookie: > > http://www.washington.edu/pubcookie/ > > If you are worried about stolen cookies, why are we using PHPSessions? > They are only 128bit numbers. > >> But I already added beta support for ALLOW_HTTP_AUTH_LOGIN which >> accepts already logged in users. > > Unfortunately, ALLOW_HTTP_AUTH_LOGIN is not useful for my purposes. With > pubcookie there is no password to go with the > $HTTP_SERVER_VARS['REMOTE_USER'] (because only the login server is > trusted with passwords), thus as structured a login would be impossible. > And you can't allow a REMOTE_USER login with out a password, because > then there would be no protection against a user changing to a different > account (since none of them have passwords) -- thus the necessity of the > WikiUserID == REMOTE_USER (which breaks the administrative account). -- Reini Urban http://xarch.tu-graz.ac.at/home/rurban/ |
