Partial Authentication Error
TWikiDocumentation knows me, but Edit does not.Test case
Edit, Login, and Cancel at twiki.org. Now your browser has your credentials and quietly authenticates you for any further Edits. Close all browsers. Open a browser to TWikiDocumentation and view the Partial Authentication section. It knows who you are! Go try to Edit a page. You have to login because your browser no longer holds your credentials. This is seriously confusing: do you know me or not? twiki.org seems to be experimenting with Partial Authentication (recording IP + WikiName on the server). While this may be convenient on intranets, it is a security vulnerability on internets. Hope this is clear (and not confusing).
Environment
| TWiki version: | TWikiRelease01Feb2003 |
| TWiki plugins: | DefaultPlugin, EmptyPlugin, InterwikiPlugin |
| Server OS: | any |
| Web server: | any |
| Perl version: | any |
| Client OS: | any |
| Web Browser: | any |
Follow up
Not to beat a dead horse here, but these type of problems reflect much deeper problems which need to eventually be solved at TWiki's authentication core. Plugins like SmartSessionPlugin conveniently mask all these problems with a clever yet conventional use of cookies and CGI variables, but changes eventually need to be made which do a better job at keeping correct authentication persistence at a deeper level of the TWiki core code. For those who want to experiment with alternatives to$doRememberRemoteUser, check out SmartSessionPlugin as well as the conversations, patches, and other ideas in BetterThandoRememberRemoteUser and ImproveViewAuthentication and last but not least (perhaps the inevitible fix to all of these problems), CommonFrontEndCgiScript.
-- TedPavlic - 25 Aug 2003
Ted, thanks for your thoughtful and informative follow-up.
I understand sessions. It will take some review to understand how they are insufficient to solve these issues.
I look forward to learning about plugins using yours, and the amazing Smilies, as examples.
-- DavidKing - 26 Aug 2003
This is the current setup we have at TWiki.org. A low tech solution that does not require cookies or session info in the URL.
A TWiki installation can opt to use no authentication at all; authentication only for edit (not view) using BasicAuthentication; or a cookie based authentication/session handling with the SessionPlugin or SmartSessionPlugin.
See docs on Authentication Options in TWikiUserAuthentication
-- PeterThoeny - 27 Aug 2003 
Topic revision: r5 - 2004-01-01 - SvenDowideit
Site map
Blog web
Create New Topic
Index
Search
Advanced search
My topics of interest
Changes
Major changes only
All tags
Notifications
RSS Feed
Statistics
Preferences
Community 
Readme first
Developers News
How you can help
Community roles
#twiki IRC
Lima Release
Feature Proposals
Bugs Changes
Categories 
Account 
Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.