[dokuwiki] Re: Data protection by login via HTTPS, source code readable only for registered users
- From: Dave Kliczbor <maligree@xxxxxx>
- To: dokuwiki@xxxxxxxxxxxxx
- Date: Mon, 31 Jul 2006 19:42:23 +0200
hey out there...
I tinkered a bit over my previous questions and came up with a partial
solution...
Just to recap: I wanted login and session data go over HTTPS. And, to
prevent snoopers from taking over of the session, the session should be
invalidated when switching over to HTTP.
Preconditions: I have configured in apache both https and http virtual
hosts to use the same DocumentRoot and put dokuwiki in there. That means
http://host/dokuwiki/bla
refers to exactly the same content as
https://host/dokuwiki/bla
To get login and session data to HTTPS, the following has to be appended
to the .htaccess of dokuwiki:
#HTTPS for login in dokuwiki
RewriteCond %{HTTPS} off
RewriteCond %{THE_REQUEST} do\=(login|logout|register|resendpwd|admin)
RewriteRule (.*) https://yourhost.tld/path/to/dokuwiki/$1 [R]
It is crucial that the .htaccess with the above lines is in the same
directory as doku.php, else the RewriteRule does not do what you want
and you'll have to rewrite it ;)
To log the user out as soon as one HTTP request in the session is made,
I added a small code block in inc/actions.php, at the beginning of
act_dispatch(), after the declaration of global variables:
if( $conf['logout_on_http'] === true && $_SERVER['HTTPS'] !== "on" ) {
act_auth('logout');
}
Okay, now I'll look into making the wiki source code readable only for
registered users.
cya
Dave KLiczbor
--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist
Other related posts:
