On Sun, Mar 30, 2003 at 04:23:03PM -0800, Brion Vibber wrote:
On Sun, 2003-03-30 at 15:24, Tim Starling wrote:
No-one will have to reset their password. I'll just use md5(md5(password) + salt) for the new hash. The only thing users will notice is that their stored cookies will stop working and they'll have to log in again.
If that's a good enough hash, then yes that would work fine as an automated upgrade path. Hurrah!
When you've got the code ready, send it over and I'll put it up on test.wikipedia.org for a whirl.
On Sun, 2003-03-30 at 15:30, Tim Starling wrote:
If we really want to be serious about security we'll have to use ssl for login, but I don't know how to do that.
I looked into this briefly a while ago; apparently there are difficulties with using https on apache with name-based virtual servers, as it cannot determine which virtual host configuration to go to until it's already established the https connection, but to configure the https connection it needs to know which virtual host configuration it's using.
If anyone's got some experience with this or can think of a clean workaround, please speak up. (Listening on a separate port for each wiki is probably possible, but less than elegant.)
-- brion vibber (brion @ pobox.com)
You can only have one virtual host per IP/port with ssl. Sorry, SSL limitation, can't be helped. All you have to do (provided all of the wikis are on the same machine) is redirect everybody to www.wikipedia.org for the login, and then back to their original language for everything else. So, it can be done, but it is annoying.