On Sun, 2003-03-30 at 15:24, Tim Starling wrote:
No-one will have to reset their password. I'll
just use md5(md5(password) +
salt) for the new hash. The only thing users will notice is that their
stored cookies will stop working and they'll have to log in again.
If that's a good enough hash, then yes that would work fine as an
automated upgrade path. Hurrah!
When you've got the code ready, send it over and I'll put it up on
for a whirl.
On Sun, 2003-03-30 at 15:30, Tim Starling wrote:
If we really want to be serious about security
we'll have to use ssl for
login, but I don't know how to do that.
I looked into this briefly a while ago; apparently there are
difficulties with using https on apache with name-based virtual servers,
as it cannot determine which virtual host configuration to go to until
it's already established the https connection, but to configure the
https connection it needs to know which virtual host configuration it's
If anyone's got some experience with this or can think of a clean
workaround, please speak up. (Listening on a separate port for each wiki
is probably possible, but less than elegant.)
-- brion vibber (brion @ pobox.com