On 11/18/2010 10:09 PM, Brion Vibber wrote:
On Thu, Nov 18, 2010 at 11:53 AM, Hiram
Good Morning MediaWiki Fans:
Are there any options to turn on encryption of the password
from the login page ? Is the login information sent in
clear text ?
The only way to send passwords and session cookies securely is to run the
site over HTTPS; see your web server's documentation or your provider's
support pages on how to use HTTPS.
hashes instead of raw passwords which in theory is slightly more secure than
plaintext passwords over HTTP; but this never really worked out and
ultimately still leaves all your session tokens exposed. The web has a good
solution for this problem already, which is to run all authenticated
sessions and authentication information over an encrypted connection.
There are some options& extensions out there to help direct the login page
over to HTTPS if you need to serve unauthenticated pages over HTTP for
performance reasons, but it'll simplify your life a lot to just go
MediaWiki-l mailing list
I do agree with Brion and implemented the secure login.
Try to login at : http://experimental.wikiation.nl
(note this is the
http protocol) and see what happens at the login screen.
Example required setting in apache :
And in LocalSettings.php
Only https would be technical better but confuses the users.
Security is important.