Guy Brand writes:
Hello,
A colleague from university of Bordeaux, France, is working on
authentication through CAS[1,2] in Dokuwiki. He managed to get it
working by using CAS only for user/password checking in CAS, DW's
ACLs, profiles, etc are used directly inside DW. Now he is facing a
problem: using CAS, users auto-registration, users password change
or users profile updates must be forbidden. Here are some changes he
made:
- removed DOKU_COOKIE use from auth_login; - removed $user, $pass, auth_browseruid, $USERINFO, variables from SESSION ;
Question: what impact have these changes on the security of DW? In particular, in his modified DW, it's CAS which is taking care of the "browser uid", what issues can this raise?
Andi
-- DokuWiki mailing list - more info at http://wiki.splitbrain.org/wiki:mailinglist