[dokuwiki] Re: Why is the auth system cookie-based?
- From: Jason Keltz <jas@xxxxxxxxxxxx>
- To: dokuwiki@xxxxxxxxxxxxx
- Date: Wed, 05 Dec 2007 11:34:31 -0500
On 12/05/07 10:01, Gabriel Birke wrote:
Hello,
today I figured out why users are logged out when you have two wikis on the
smae server that share their session cookie: It was because the salt for
encrypting the password was different in the two wiki instances. After
copying data/meta_htcookiesalt from one instance to the other, everything
works fine now.
However, I can't figure out why the code in auth_login is implemented the
way it is implemented. As far as I understand, the cookie data (username and
password) is "cached" in the session, after the cache expires (the cache
lifetime is stored in $conf['auth_security_timeout']) the cookie data is
sent to the auth class. But why store the data in the cookie at all?
Wouldn't a session suffice? The code is very clever, I understand what it
does, but I don't understand the reason behind it. Can anyone explain?
Is it really that easy for single sign on?
I was under the impression that in addition to _htcookiesalt, there
needed to be some adjustment of the setcookie calls since they use
DOKU_REL where init.php defines DOKU_REL using getBaseURL(). I had
wanted to use single sign on, but didn't want to modify the DW code to
do it.
jason.
--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist
- Follow-Ups:
- [dokuwiki] AW: Re: Why is the auth system cookie-based?
- From: Gabriel Birke
- [dokuwiki] Single-sign on for one server WAS: Re: Why is the auth system cookie-based?
- From: Gabriel Birke
- References:
- [dokuwiki] Why is the auth system cookie-based?
- From: Gabriel Birke
Other related posts:
- » [dokuwiki] Why is the auth system cookie-based?
- » [dokuwiki] Re: Why is the auth system cookie-based?
- » [dokuwiki] Re: Why is the auth system cookie-based?
- » [dokuwiki] Re: Why is the auth system cookie-based?
Hello, today I figured out why users are logged out when you have two wikis on the smae server that share their session cookie: It was because the salt for encrypting the password was different in the two wiki instances. After copying data/meta_htcookiesalt from one instance to the other, everythingworks fine now.
However, I can't figure out why the code in auth_login is implemented the way it is implemented. As far as I understand, the cookie data (username and password) is "cached" in the session, after the cache expires (the cache lifetime is stored in $conf['auth_security_timeout']) the cookie data is sent to the auth class. But why store the data in the cookie at all? Wouldn't a session suffice? The code is very clever, I understand what it does, but I don't understand the reason behind it. Can anyone explain?
- [dokuwiki] AW: Re: Why is the auth system cookie-based?
- From: Gabriel Birke
- [dokuwiki] Single-sign on for one server WAS: Re: Why is the auth system cookie-based?
- From: Gabriel Birke
- [dokuwiki] Why is the auth system cookie-based?
- From: Gabriel Birke