CookieAuth

Note: The recipes here are for PmWiki versions 0.6 and 1.0 only. For PmWiki 2.0 recipes, see Cookbook.


Goal

PmWiki's default method for handling password authentication does not work on some web hosts (such as Powweb). This recipe provides some rudimetary authentication that should work on all hosts.

Umm, how is this functionally different from the sessionauth.php script that comes with a PmWiki distribution?

Solution

CookieAuth uses a login form that stores two cookies, one containing the user name and one containing an MD5 hash of the user name and a secret key. PmWiki's authentication function is replaced with one that checks the presence of these cookies. This technique is presented in chapter 44 of the book [(approve links) edit diff].

While this seems secure to me, I am not a security expert so I make no guarantees.

Files

Attach:cookieauth-0.1.tar.gz

Installation

  1. Extract the archive and place cookieauth.php into your local/ directory.
  2. Edit your local/config.php as follows:
    1. Add the line require_once('local/cookieauth.php');
    2. Set the $CookieAuthMd5Hash variable to a secret key -- a string of at least 20 random characters should suffice. You don't need to remember this key, it's just used to generate a cookie that can not be faked without knowledge of the key.
    3. Set the $DefaultPasswords['admin'] variable to the desired password.
    4. Optionally set the $CookieAuthSuccessUrl to the page you'd like to go to after a successful login.

Usage

  • To login, add ?action=login to any page address. Typically you would add a link such as ThisWiki:?action=login to your sidebar or homepage. You will need to enter a username but the actual value of the username is unimportant in this version of CookieAuth.
  • To set page passwords, append ?action=attr to the page's URL. The actual passwords entered here are ignored by CookieAuth - it only cares whether a password is set for a given action or not. So to make a page read-only put "yes" in the "Edit" password field. To clear a password, blank the appropriate field.
  • To logout, simply visit the login page again.

Limitations

Unlike PmWiki's default authentication system, CookieAuth uses only a single admin password. It could easily be adapted to support multiple users, but it will never do different passwords on each page very effectively because there is only a single login page rather than the pop-up login boxes.

Comments & Bugs

None so far...

Contributors

pmwiki-2.2.138 -- Last modified by {{Pm}}

from IP: 85.171.160.186 ip should be disabled by default for security reasons