[dokuwiki] Re: Data protection by login via HTTPS, source code readable only for registered users

From: Dave Kliczbor <maligree@xxxxxx>
To: dokuwiki@xxxxxxxxxxxxx
Date: Mon, 31 Jul 2006 19:42:23 +0200

hey out there...

I tinkered a bit over my previous questions and came up with a partial
solution...

Just to recap: I wanted login and session data go over HTTPS. And, to
prevent snoopers from taking over of the session, the session should be
invalidated when switching over to HTTP.

Preconditions: I have configured in apache both https and http virtual
hosts to use the same DocumentRoot and put dokuwiki in there. That means
  http://host/dokuwiki/bla
refers to exactly the same content as
  https://host/dokuwiki/bla

To get login and session data to HTTPS, the following has to be appended
to the .htaccess of dokuwiki:

  #HTTPS for login in dokuwiki
  RewriteCond %{HTTPS} off
  RewriteCond %{THE_REQUEST} do\=(login|logout|register|resendpwd|admin)
  RewriteRule (.*) https://yourhost.tld/path/to/dokuwiki/$1 [R]

It is crucial that the .htaccess with the above lines is in the same
directory as doku.php, else the RewriteRule does not do what you want
and you'll have to rewrite it ;)


To log the user out as soon as one HTTP request in the session is made,
I added a small code block in inc/actions.php, at the beginning of
act_dispatch(), after the declaration of global variables:

  if( $conf['logout_on_http'] === true && $_SERVER['HTTPS'] !== "on" ) {
    act_auth('logout');
  }


Okay, now I'll look into making the wiki source code readable only for
registered users.

cya
 Dave KLiczbor
-- 
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist

References:

[dokuwiki] Data protection by login via HTTPS, source code readable only for registered users
From: Dave Kliczbor

[dokuwiki] Re: Data protection by login via HTTPS, source code readable only for registered users

Other related posts: