On 11/18/2010 10:09 PM, Brion Vibber wrote:
On Thu, Nov 18, 2010 at 11:53 AM, Hiram
Clawson<hiram(a)soe.ucsc.edu> wrote:
Good Morning MediaWiki Fans:
Are there any options to turn on encryption of the password
from the login page ? Is the login information sent in
clear text ?
The only way to send passwords and session cookies securely is to run the
site over HTTPS; see your web server's documentation or your provider's
support pages on how to use HTTPS.
We experimented briefly in '05 with JavaScript stuff to send salted MD5
hashes instead of raw passwords which in theory is slightly more secure than
plaintext passwords over HTTP; but this never really worked out and
ultimately still leaves all your session tokens exposed. The web has a good
solution for this problem already, which is to run all authenticated
sessions and authentication information over an encrypted connection.
There are some options& extensions out there to help direct the login page
over to HTTPS if you need to serve unauthenticated pages over HTTP for
performance reasons, but it'll simplify your life a lot to just go
HTTPS-only.
-- brion
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
I do agree with Brion and implemented the secure login.
Try to login at :
http://experimental.wikiation.nl (note this is the
http protocol) and see what happens at the login screen.
See
http://manual.wikiation.nl/Level_2_security_http_for_reading_https_for_edit…
Example required setting in apache :
RewriteEngine On
RewriteRule ^/Special:UserLogin(.*)
https://experimental.wikiation.nl/Special:UserLogin$1 [R=301,L]
And in LocalSettings.php
Disable $wgServer
Only https would be technical better but confuses the users.
Security is important.
Good luck.
With regards
Bernard Hulsman