[dokuwiki] Re: Why is the auth system cookie-based?
- From: "Gabriel Birke" <Gabriel.Birke@xxxxxxxxx>
- To: <dokuwiki@xxxxxxxxxxxxx>
- Date: Thu, 6 Dec 2007 11:11:57 +0100
Hi Kite,
Thanks for your explanation, but I don't think it's right: The session is
also cookie based and the session cookie lifetime could be set to persist
after the browser window is closed (using the php function
session_set_cookie_params), depending on the checkbox status of the login
form.
Cookies always expire at a fixed date
(http://en.wikipedia.org/wiki/HTTP_cookie#Cookie_attributes). It is true
that the cookie lifetime is regenerated at every page request in auth_login.
But the lifetime of session cookie could also be re-set.
I think there is another explanation for the use of a separate cookie.
Gabriel
_____
Von: dokuwiki-bounce@xxxxxxxxxxxxx [mailto:dokuwiki-bounce@xxxxxxxxxxxxx] Im
Auftrag von Kite
Gesendet: Mittwoch, 5. Dezember 2007 17:17
An: dokuwiki@xxxxxxxxxxxxx
Betreff: [dokuwiki] Re: Why is the auth system cookie-based?
Hi Gabriel,
It seems obvious to me that it is because a cookie persists longer than a
session; closing the window does not force you to log back in ... once
you're logged in, you're connected as long as you have your cookie. If I'm
not mistaken, the cookie is refreshed with every page view, so its cache
timeout is always taken from the last page viewed rather than the first.
I guess the question you haven't reached yet is do you want the wikis on
your server to all use the same salt value so that a user can log into any
wiki where his user name and password are the set to the same value. Then
your users could roam freely within your websites/wikis. Since the Salt is
stored as a file, you could copy it between sites ... I'm not sure how you
would or if you could regenerate the password file with a new salt.
Kite
Gabriel Birke <Gabriel.Birke@xxxxxxxxx> wrote:
Hello,
today I figured out why users are logged out when you have two wikis on the
smae server that share their session cookie: It was because the salt for
encrypting the password was different in the two wiki instances. After
copying data/meta_htcookiesalt from one instance to the other, everything
works fine now.
However, I can't figure out why the code in auth_login is implemented the
way it is implemented. As far as I understand, the cookie data (username and
password) is "cached" in the session, after the cache expires (the cache
lifetime is stored in $conf['auth_security_timeout']) the cookie data is
sent to the auth class. But why store the data in the cookie at all?
Wouldn't a session suffice? The code is very clever, I understand what it
does, but I don't understand the reason behind it. Can anyone explain?
Greetings,
Gabriel
--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist
_____
Looking for last minute shopping deals? Find
<http://us.rd.yahoo.com/evt=51734/*http://tools.search.yahoo.com/newsearch/c
ategory.php?category=shopping> them fast with Yahoo! Search.
Other related posts:
