Hello, A colleague from university of Bordeaux, France, is working on authentication through CAS[1,2] in Dokuwiki. He managed to get it working by using CAS only for user/password checking in CAS, DW's ACLs, profiles, etc are used directly inside DW. Now he is facing a problem: using CAS, users auto-registration, users password change or users profile updates must be forbidden. Here are some changes he made: - removed DOKU_COOKIE use from auth_login; - removed $user, $pass, auth_browseruid, $USERINFO, variables from SESSION ; Question: what impact have these changes on the security of DW? In particular, in his modified DW, it's CAS which is taking care of the "browser uid", what issues can this raise? Cheers, gb [1] http://www.yale.edu/tp/auth [2] http://esup-phpcas.sourceforge.net/ -- DokuWiki mailing list - more info at http://wiki.splitbrain.org/wiki:mailinglist