Bug: TWiki.org remember user causing problems

I've always been dubious about TWiki remembering users based on IP address, especially when you're behind a fire wall. Just had a failure with this.

Error got error on following URL when I followed Create Personal Sidebar link:

• http://twiki.org/cgi-bin/edit/Main/DeclanGrahamLeftBar?templatetopic=TWiki.WebLeftBarPersonalTemplate

Notice that I'm JohnTalintyre, but url is includes DeclanGraham, someone else who works in my company.

As an aside, I was in Pattern skin before editing this bug, now I'm in the old "Classic" skin.

-- JohnTalintyre - 10 Sep 2004

Test case

Environment

-- JohnTalintyre - 10 Sep 2004

Follow up

Sounds explainable to me. If you're on the same IP as DeclanGraham, twiki.org will remember the last authentication it had from that IP. And that might very well be of DeclanGraham and not you. This explains why TWiki "suggests" that you create his LeftBar.

Concerning the skin issue, in your homepage you have set your SKIN variable to iejs, so as soon as TWiki recognizes you, it will use that skin - explaining the skin change after authentication. You should remove this variable if you like the PatternSkin better.

Last, you can consider using one of the authenticating plugins at your own site (SessionPlugin, SmartSessionPlugin, LoginNameAliasesPlugin, SiteMinderPlugin ..) to avoid this problem locally.

-- SteffenPoulsen - 10 Sep 2004

Well yes, I am saying that the first problem is the remember IP address feature in twiki.org. Too many of us are behind NAT and hence this feature should be replaced by something else e.g. SessionPlugin.

Good point on my homepage. Unfortunately edit of this page on TWiki.org is broken. Also there's a confusion between skin and editor used, this didn't matter when there was only one skin on TWiki.org, but now it does.

Incidentally SessionPlugin is an example I produced to show how we implemented Sessions for using an LDAP system at my site many years ago.

-- JohnTalintyre - 13 Sep 2004

I believe you can edit your page, but what you can't do is use the "preview" function while editing. Try to save the page directly instead.

I agree with you, that twiki.org could benefit from another authentication mechanism (I also regularly see myself as authenticated as other users from our site).

-- SteffenPoulsen - 19 Sep 2004

It is a bit disconcerting to see "Hello Some Other User" when I view this page. After authenticating, I do see my name, and other users then see "Hello Randall Chuck".

At Sun the use of Sunrays means many users share the same system/IP.

-- RandallChuck - 11 Feb 2005

I cannot understand why we don't simply use viewauth once we know who the user is... (also, you can simply add a login button with a Url that uses viewauth - logout is still horrible)

turn off RememberUser setting, and use the following patch (from DEVELOP)

Index: TWiki.pm
===================================================================
--- TWiki.pm    (revision 3592)
+++ TWiki.pm    (working copy)
@@ -913,6 +913,14 @@
 
     # SMELL: topics and webs that contain spaces?
 
+#if user != TWikiGuest, and $theScript == view, set it to viewauth
+    if ( $this->{user}->wikiName() =~ /.*Guest.*/ ) {
+    } else {
+       if ( $theScript eq 'view' ) {
+           $theScript = 'viewauth';
+       }
+    }
+
     # $this->{urlHost} is needed, see Codev.PageRedirectionNotWorking
     my $url = "$this->{urlHost}$TWiki::cfg{DispScriptUrlPath}/$theScript$TWiki::cfg{ScriptSuffix}/$theWeb/$theTopic";
     # FIXME consider a plugin call here - useful for certificated logon environment

for Cairo (untested)

Index: TWiki.pm
===================================================================
--- TWiki.pm    (revision 3574)
+++ TWiki.pm    (working copy)
@@ -1572,7 +1572,16 @@
 sub getScriptUrl
 {
     my( $theWeb, $theTopic, $theScript ) = @_;
+
+    #if user != TWikiGuest, and $theScript == view, set it to viewauth
+    if ( $wikiName =~ /.*Guest.*/ ) {
+    } else {
+        if ( $theScript eq 'view' ) {
+            $theScript = 'viewauth';
+        }
+    }
     
+    
     my $url = "$urlHost$dispScriptUrlPath/$theScript$scriptSuffix/$theWeb/$theTopic";
 
     # FIXME consider a plugin call here - useful for certificated logon environment

-- SvenDowideit - 11 Feb 2005

If I understand this correctly, above fix has the implication that a logged in user sees all view URLs now as .../viewauth/.... Not a problem for the user looking at a topic, but an issue if the user copies the URL into an e-mail. Now everyone clicking on that URL is forced to login, which isnot very user friendly. If this is the case I suggest to make this behaviour configurable with a switch similar to the remember flag.

There is a second issue: There is a last name called Guest. Probably need to test for WIKINAME equal TWikiGuest.

-- PeterThoeny - 12 Feb 2005

point 1: yep, that (the non-emailable url) was the reason it was not used - thanks - maybe we should revisit this decision - but we would also need to change the oops page to point the unauthed user to the view version of the url (if it exists)

point 2: good call - i wrote the hack for my http://home.org.au site, which really is just for me to test, but has TWikiGuest view (and registration is not intended to work at the moment)

if there is interest from others, we'll persue it - i was just puzzeled that we didn't do it.

mind you, it does eliminate the (i think unacceptable) situation that we now - so with some kind of fall back to unauthed-view (if TWikiGuest access is permitted) rather than to oops (for example) might fix everything bar the un-initiated being forced to hit canel on a login screen..

-- SvenDowideit - 12 Feb 2005

Fix record