A soft session would consist of:

• Each non-authenticated user would be treated as a new TWikiGuest. (guest1, guest2, guest3, ...)
• Each of these would have a logical virtual page initially. (Preferences could be stored in the cookie or in a temporary file on disk.)
• If a user sets their name this becomes a physical page. A user can then be prompted for more details including a password if the local admin decide this is appropriate. (This doesn't happen on most other wiki engines. Allowing wiki behaviour from other wikis makes TWiki more rather than less attractive to users & organisations with existing wikis.)

Essentially the bug above implies that the majority of the code to implement this actually already exists. (Testing the bug on a site without the bug fixed allows almost all 3 steps.)

Simplest approach is to have a non-authenticated site with a login/prefs script sending a 401 header, and allowing doRemember/sessions to do the work they already do, but change the protection to check the auth was valid if the user is a passworded user b) add in the functionality for logical pages. (Leads naturally to a variable cache which would be useful for the rest of TWiki as well)

Around the same time as spotting the security issue I noticed that MattWilkie was interested in this reg-free sort of functionality and hence see the positive side of the bug - thanks Matt.

People who really want this feature now can enable the security flaw noted above, but it really isn't recommended. No, really, it isn't.

-- MS - 19 Dec 2003

re-worded "Around the same time" as it sounded like I was the one who spotted the security flaw! No, thank you MS for seeing the alternate application.

SvenDowideit may be implementing something like this in the way distant future as part of his work on DeleteAccount.

-- MattWilkie - 19 Dec 2003