Summary: Discussion of UserAuth2
Version: 2.2.3 (2010-03-03)
Status: released, stable, maintained (tested with Pmwiki 2.1.11, 2.2.0-beta45)
Maintainer: ThomasP


I wanted to secure the login and user management. I came up with this solution which seems to work, but I'd like feedback since I'm still new to modrewrite. Personally, I'd think it much cleaner if the code could do the redirects.:

Charles: sonikbuddha ATT hotmail DOTT com
if (@$_SERVER['HTTPS'] == 'on' || @$_SERVER['SERVER_PORT'] == '443')
} else {
$ScriptUrl = $UrlScheme.'://';
$PubDirUrl = $UrlScheme.'://';


# Use mod_rewrite to enable "Clean URLs" for a PmWiki installation.
RewriteEngine On
# Define the rewrite base.
RewriteBase /wiki
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} ^/wiki/Site/Login [OR]
RewriteCond %{QUERY_STRING} action=login [OR]
RewriteCond %{QUERY_STRING} ^n=Site.Login [OR]
RewriteCond %{QUERY_STRING} ^action=admin [OR]
RewriteCond %{QUERY_STRING} ^action=pwchange
RewriteRule (.*)$1 [R=permanent,L]
RewriteCond %{SERVER_PORT} 443
RewriteCond %{REQUEST_URI} !(\.gif|\.css) 
RewriteCond %{REQUEST_URI} !^/wiki/Site/Login
RewriteCond %{QUERY_STRING} !^n=Site/Login 
RewriteCond %{QUERY_STRING} !action=login
RewriteCond %{QUERY_STRING} !action=admin 
RewriteCond %{QUERY_STRING} !action=pwchange
RewriteRule (.*)$1 [R=permanent,L]
# Send requests without parameters to pmwiki.php.
RewriteRule ^$           pmwiki.php  [L]
# Send requests for index.php to pmwiki.php.
RewriteRule ^index\.php$ pmwiki.php  [L]
# Send requests to pmwiki.php, appending the query string part.
RewriteRule ^([A-Z0-9\xa0-\xff].*)$ pmwiki.php?n=$1  [QSA,L]

I've removed any previous comments that I made here. Whilst I did have problems at first with:

  1. CleanUrls - see fix on main page re using '/' instead of '.' in the extra lines in config.php (at that time correct, now only dots should be used)
  2. Search box didn't work - I think this was down to using an early flavour of PMWiki (done)
  3. (:pagelist:) markup broken - same as search box above. (done)
  4. Not returning to correct page after logging in - same as CleanUrls

I did a clean install and have had no problems since - (I hope). I am enjoying using the software produced by people like PM and Thomas and my thanks go to them both.


Use latest version of software at all times and be careful of settings and you'll not go wrong!


I would really like MySQL database authentication, as I have a password protected welcome page, forum and wiki, and adding new users is a pain, I have to add them in three different files (.htpasswd(until I find decent PHP/MySQL login script), wiki(using userauth2) and MyBB(in the MySQL database).
Having it all in one table in a MySQL database would be so much easier.

It would be probably most optimal if one would use the database organization of MyBB, otherwise you would just end up maintaining two databases / database tables. Can you provide details? (I guess though it is better in the end to create only hooks in UserAuth2 that can be connected with whatever backend is necessary.) ThomasP May 27, 2007, at 05:58 AM

Fatal error: Allowed memory size of 8388608 bytes exhausted (tried to allocate 40 bytes) in /home/*/public_html/*/*/*/wiki/cookbook/userauth2.php on line 1009 , Using the lastest version (stable5).

Thanks. This line contains an unserialize() call. Maybe an endless loop in the unserialize code due to an unclean saved permission record? If persistent, try to reduce the maximum sizes of the two caches or (for testing) disable the caching completely. See implementation reference. ThomasP September 12, 2007, at 10:14 AM

The required dot in the URL (. instead of /)

Why on earth is this a requirement? It's a pretty sad one. Most sites that I know where pmwiki is used for, have used the / instead of the dot. So none of them can use UserAuth2.

Hi, you have probably seen this requirement at the first configuration scribble in the installation notes. But actually it refers only to those two lines, i.e. when setting the $HomePage and $LoginPage variables, and to the permission record. In both of these cases the dot should/ has to be used. Apart from these configuration related places, your pmwiki is allowed to use CleanUrls. (Slashes will then automatically mapped to dots internally for permission check.) ThomasP October 02, 2008, at 01:36 PM

I'm working with wikifields (Cookbook.WikiFarmAlternative) which places the pmwiki largely out of the way of the web path. The directory structure looks like this:

  ------userauth2/ (hopefully this will only contain the static objects)
  ------config.php (system-wide configurations, common to all wikifields) 
  ------setworkdir.php (sets up the working directories for the wiki based on a variable set in each wiki's local/config.php)
  ---var/ (where work goes)
  ------WIKINAME/ (per-wiki directory)
  ---------wiki.d/ (where wiki pages live for this wiki)
  ---------userauth2/ (where dynamic userauth2 info lives for this wiki)

I'd prefer to be able to split out dynamic portions of userauth2 from static portions for the obvious benefit of keeping one copy of something everyone can run and still keep their data separate.

--tamouse September 20, 2011, at 08:12 AM

PKHG speaking (10 June 2007 9:00)

I am trying to understand the following error:

  1. Running PmWiki beta54 on the local webserver AbyssWebServer, authorization works fine.
    Prefix WEB.
  2. Running the same PmWiki (copy a whole directory) on XAMPP Apache, authorization does not work at all.
    Prefix XAMPP.
  3. I set AbyssWebSever listening to port 8888 (so both version run at the same time visible in tabs of FF)

Started debugging on 7.6.07. I use in userauth2.php this code.

function debugMsg($par1,$msg){
    echo("<br >XAMPP $msg");
  } else {
    echo("<br />XAMPP array: $par1 <br />");

Output is generated by removing the // comment before appendToUA2ErrorLog commands, flushed by flushUA2ErrorLog.

  1. Opening of Site/Login gives output which on both versions a similar (difference is only a prefix WEB and XAMPP respectively).
  2. logging in, the WEB-version remembers the user: admin, the XAMPP version stays unauthorized (admin!).
  • All SESSION variables XAMPP-version (except of CacheStarttime) have 'vanished'?
    I am chasing the place where SESSION is cleared (unexpectedly).

originally entered at standalone page UserAuth2Devel (deleted)

Deprecation error on PHP 7.0
Running PmWiki 2.2.91 on Ubuntu 16.04 with Apache 2.4.18 and PHP 7.0.15-0ubuntu0.16.04, i get the following error in Apache's error.log:
 PHP Deprecated:  Methods with the same name as their class will not be 
 constructors in a future version of PHP; UserSessionVars has a deprecated constructor 
 in /home/paul/wwwroot/w/cookbook/userauth2/UserSessionVars.php on line 109, 

I am no PHP god.. Anyone knows a quick fix to this?

PaulWiegmans februari 24, 2017

You may replace line 133 in userauth2/UserSessionVars.php

function UserSessionVars() {


function __construct() {


mfwolff 2017-03-04

Talk page for the UserAuth2 recipe (users).