Menu
▾
▴
Re: [Phpwiki-talk] Re: auth prefs
|
From: Joby W. <joby@u.washington.edu> - 2002-10-02 20:41:34
|
Reini Urban wrote: > Joby Walker schrieb: > >> Reini Urban wrote: >> >>> Joby Walker schrieb: >>> >>>> 1) a new login method (currently PUBCOOKIE_LOGIN): this will allow >>>> end user to use the University of Washington's Pubcookie system. >>>> When using Pubcookie the end user accesses a web site he is forced >>>> to authenticate at a central site, and the central login site then >>>> guarantees the authentication to the web site. Thus the end user's >>>> password is never available to the web site, and allowing a unified >>>> login structure for an organization. The only check is that >>>> $HTTP_SERVER_VARS['REMOTE_USER'] is guaranteed to be set and correct. >>> > > Oops. I mixed that up with our local php cookie login systems, which I > had to fix. pubcookie seems to be a good thing. > So why not? No problem, I like a healthy skepticism of a method's security! > > Seems not too hard to support in phpwiki, but requires lots of changes > in apache. I'll have a look. > > http://www.washington.edu/computing/pubcookie/uwash-mod-1.77.html > > How do you detect this pubcookie session with PHP besides > $_ENV['REMOTE_USER'] and $_COOKIE[PUBCOOKIE_NetID]? > > http://www.washington.edu/computing/web/publishing/uwnetid.html > > REFERER? > Maybe any SSL var? > I agree that support is pretty easy to add, but I would not make it an detected login method. If this method is needed, there is a significant amount of backend work that needs to be completed that I don't think we should worry about autodetection -- If this method is desired the wiki owner should just say so. In addition, if phpwiki makes a "false positive" detection of pubcookie, a serious security breach could result. All we need is: index.php (or config_user.php/config_dist.php): #define('USE_PUBCOOKIE_AUTH', true); if(!defined('USE_PUBCOOKIE_AUTH')) define ('USE_PUBCOOKIE_AUTH', false); WikiUser.php: function _pwcheck... // right after the ADMIN_USER check if(USE_PUBCOOKIE_AUTH){ if($HTTP_SERVER_VARS['REMOTE_USER'] == $userid){ return WIKIAUTH_USER; } return false; } jbw |
