Hello out there, [DokuWiki core 2006-03-09b + a few plugins] after tinkering a lot with DokuWiki (some plugins/extensions will result out of this, I just have some bugfixing and doku left to do), I wonder how to protect things like mail addresses and login passwords better. I'm creating a half-closed site where not giving mail addresses out to spam bots is a big issue. On the other side, having a half-public site, I don't want the site to be too closed and mail addresses just have to show up in some form. Therefore, I figured it best a) having the "guest user" access the pages via plain HTTP, but b) login (and, if possible, session data too) should go over HTTPS. And c) no guest should even have access to the plain wiki code, because there's the mail address in plain text, ready to be spammed. a) is already the default state, so I have to focus on switching to HTTPS, and staying there. For b), I figured from previous posts that that means tinkering a bit with mod_rewrite (or patching the dokuwiki core scripts), but I'm not sure about the full keyword list. I could create a rewrite rule that triggers on 'do=login', but couldn't that also be sent via HTTP POST and not show up in %{REQUEST}? And does the form then _reliably_ point to a HTTPS action url? I'd call it reliable if DokuWiki works with relative URLs by design, so that an internal link always omits the 'http://host' part in both caches and delivered pages. Just to be sure: Does DokuWiki work by design with relative internal URLs? (user stupidity is taken aside ;) And then there's the question if the session stops when trying to access it via HTTP? (Stop means: The user has to re-login) I've had some bad issues with Typo3 switching unreliably back and forth between HTTP and HTTPS, partly having to do with caches and absolute links, so I'd rather like a developer's opinion on that. For c), I can't seem to find any information apart from protecting the dokuwiki data directory via .htaccess, so either I have a blind spot there or there isn't any ;) To put it clear, I want the "guest user" have read access to (most of) the rendered pages, but _not_ to the wiki sources. Could this be done without modifying the core? (I'd rather like the core scripts unchanged for easy core updates). If not, in which corner of the core do I need to put something in the sense of "if auth level < EDIT then show a HTTPS link to the login page instead of the textarea with wiki code"? And would that be enough? Sorry that this post was getting longer and longer, but I've had a lot of issues and thoughts coming up while writing... cya Dave KLiczbor -- DokuWiki mailing list - more info at http://wiki.splitbrain.org/wiki:mailinglist