00837: Authuser login in gives access to all wikis on a farm
Description: Once you've logged into one PmWiki using AuthUser, you have access to all Wiki's in that farm.
There needs to be a default that that it only give access to the current wiki.
I think this is related to the fact that by PHP default settings all session files on one server (also the ones belonging to different sites/wikis of the same user) are unsuitably pooled in one directory. To fix this, every authentication zone (single wiki within a farm in this case) should have either a separate session directory or some identifier saved within the session that prevents cross-usage of one authentication status gained on one wiki.
To complete this new mechanism, one has to take care that for all these wikis there is a different session cookie sent to the client, which can be done by uniquely naming the session depending on the authentication zone. (I have used
ini_set('session.name', 'PHPSESSID' . strtoupper(md5($UA2SiteIdentifier)));
for this in UserAuth2, and derived the site identifier from the file location of the userauth2.php script.) See www.php.net, search for "session", and check out the comment by gordon_e_rouse on 29th March 2007 for background.
(Note that I'm in any case in support of a more comprehensive solution, via replacing the PHP session implementation by some custom one on top of PHP.)
ThomasP May 18, 2007, at 06:17 AM