[dokuwiki] Re: Why is the auth system cookie-based?

Hi Gabriel,

It seems obvious to me that it is because a cookie persists longer than a 
session; closing the window does not force you to log back in ... once you're 
logged in, you're connected as long as you have your cookie.  If I'm not 
mistaken, the cookie is refreshed with every page view, so its cache timeout is 
always taken from the last page viewed rather than the first.

I guess the question you haven't reached yet is do you want the wikis on your 
server to all use the same salt value so that a user can log into any wiki 
where his user name and password are the set to the same value.  Then your 
users could roam freely within your websites/wikis.  Since the Salt is stored 
as a file, you could copy it between sites ... I'm not sure how you would or if 
you could regenerate the password file with a new salt.

Kite

Gabriel Birke <Gabriel.Birke@xxxxxxxxx> wrote: Hello,

today I figured out why users are logged out when you have two wikis on the
smae server that share their session cookie: It was because the salt for
encrypting the password was different in the two wiki instances. After
copying data/meta_htcookiesalt from one instance to the other, everything
works fine now. 

However, I can't figure out why the code in auth_login is implemented the
way it is implemented. As far as I understand, the cookie data (username and
password) is "cached" in the session, after the cache expires (the cache
lifetime is stored in $conf['auth_security_timeout']) the cookie data is
sent to the auth class. But why store the data in the cookie at all?
Wouldn't a session suffice? The code is very clever, I understand what it
does, but I don't understand the reason behind it. Can anyone explain?

Greetings,

Gabriel

-- 
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist




       
---------------------------------
Looking for last minute shopping deals?  Find them fast with Yahoo! Search.

Other related posts: