00837: Authuser login in gives access to all wikis on a farm

Summary: Authuser login in gives access to all wikis on a farm
Created: 2006-11-25 13:37
Status: Closed - fix documented in WikiFarms
Category: Bug
From: GNUZoo
Priority: 555
Version: 2.2.0-beta16

Description: Once you've logged into one PmWiki using AuthUser, you have access to all Wiki's in that farm.

There needs to be a default that that it only give access to the current wiki.


I think this is related to the fact that by PHP default settings all session files on one server (also the ones belonging to different sites/wikis of the same user) are unsuitably pooled in one directory. To fix this, every authentication zone (single wiki within a farm in this case) should have either a separate session directory or some identifier saved within the session that prevents cross-usage of one authentication status gained on one wiki.

To complete this new mechanism, one has to take care that for all these wikis there is a different session cookie sent to the client, which can be done by uniquely naming the session depending on the authentication zone. (I have used

ini_set('session.name', 'PHPSESSID' . strtoupper(md5($UA2SiteIdentifier)));

for this in UserAuth2, and derived the site identifier from the file location of the userauth2.php script.) See www.php.net, search for "session", and check out the comment by gordon_e_rouse on 29th March 2007 for background.

(Note that I'm in any case in support of a more comprehensive solution, via replacing the PHP session implementation by some custom one on top of PHP.)

ThomasP May 18, 2007, at 06:17 AM

This is a documented "feature" of PHP sessions. You need to set different session_name for different wikis in the farm. See a large section in PmWiki.WikiFarms. --Petko November 15, 2007, at 07:19 PM