On Sun, 2003-03-30 at 15:24, Tim Starling wrote:
No-one will have to reset their password. I'll just use md5(md5(password) + salt) for the new hash. The only thing users will notice is that their stored cookies will stop working and they'll have to log in again.
If that's a good enough hash, then yes that would work fine as an automated upgrade path. Hurrah!
When you've got the code ready, send it over and I'll put it up on test.wikipedia.org for a whirl.
On Sun, 2003-03-30 at 15:30, Tim Starling wrote:
If we really want to be serious about security we'll have to use ssl for login, but I don't know how to do that.
I looked into this briefly a while ago; apparently there are difficulties with using https on apache with name-based virtual servers, as it cannot determine which virtual host configuration to go to until it's already established the https connection, but to configure the https connection it needs to know which virtual host configuration it's using.
If anyone's got some experience with this or can think of a clean workaround, please speak up. (Listening on a separate port for each wiki is probably possible, but less than elegant.)
-- brion vibber (brion @ pobox.com)