aboutsummaryrefslogtreecommitdiff
path: root/doc/patchqueue
diff options
context:
space:
mode:
authorjoey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071>2006-08-27 20:25:05 +0000
committerjoey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071>2006-08-27 20:25:05 +0000
commit4ad7c9d6257ca106b2949d22f6300823190991a0 (patch)
tree9752444cfa70b40ab32627e3feb44781e56f2771 /doc/patchqueue
parent3ad4d93e33284ad6d51d2fa5f9abf1943b894d48 (diff)
downloadikiwiki-4ad7c9d6257ca106b2949d22f6300823190991a0.tar
ikiwiki-4ad7c9d6257ca106b2949d22f6300823190991a0.tar.gz
* Patch from James Westby to add a --sslcookie switch, which forces
cookies to only be sent over ssl connections to avoid interception. * Factor out the cgi header printing code into a new function. * Fix preferences page on anonok wikis; still need to sign in to get to the preferences page.
Diffstat (limited to 'doc/patchqueue')
-rw-r--r--doc/patchqueue/use-ssl-for-cookies.mdwn20
1 files changed, 0 insertions, 20 deletions
diff --git a/doc/patchqueue/use-ssl-for-cookies.mdwn b/doc/patchqueue/use-ssl-for-cookies.mdwn
deleted file mode 100644
index c2ee63782..000000000
--- a/doc/patchqueue/use-ssl-for-cookies.mdwn
+++ /dev/null
@@ -1,20 +0,0 @@
-It is very easy to stop the password being sniffed, you just use https:// for cgiurl
-(with appropriately configure server of course), and disallow access to the cgiscript
-over http.
-
-However the cookie is still sent for all requests, meaning that it could be stolen.
-I don't know quite how well CGI::Session defends against this, but the best it could
-do is probably tie it to an IP address, but that still leaves room for abuse.
-
-I have created a patch that adds a config option sslcookie, which causes the
-cookie to have it's secure property set. This means that it is only sent over SSL.
-So if you can configure apache to do what you want, you only have to change two options
-(cgiurl and sslcookie) to encrypt all authentication data.
-
-The disadvantage is that if someone were to activate it while using http:// I think it
-would mean they couldn't log in, as the browser would never offer the cookie.
-I think I have made the documentation clear enough on this point.
-
-http://jameswestby.net/scratch/sslcookie.diff
-
--- JamesWestby \ No newline at end of file