On Sun, Mar 30, 2003 at 04:23:03PM -0800, Brion Vibber wrote:
On Sun, 2003-03-30 at 15:24, Tim Starling wrote:
No-one will have to reset their password.
I'll just use md5(md5(password) +
salt) for the new hash. The only thing users will notice is that their
stored cookies will stop working and they'll have to log in again.
If that's a good enough hash, then yes that would work fine as an
automated upgrade path. Hurrah!
When you've got the code ready, send it over and I'll put it up on
test.wikipedia.org for a whirl.
On Sun, 2003-03-30 at 15:30, Tim Starling wrote:
If we really want to be serious about security
we'll have to use ssl for
login, but I don't know how to do that.
I looked into this briefly a while ago; apparently there are
difficulties with using https on apache with name-based virtual servers,
as it cannot determine which virtual host configuration to go to until
it's already established the https connection, but to configure the
https connection it needs to know which virtual host configuration it's
using.
If anyone's got some experience with this or can think of a clean
workaround, please speak up. (Listening on a separate port for each wiki
is probably possible, but less than elegant.)
-- brion vibber (brion @
pobox.com)
You can only have one virtual host per IP/port with ssl. Sorry, SSL
limitation, can't be helped. All you have to do (provided all of the
wikis are on the same machine) is redirect everybody to
www.wikipedia.org for the login, and then back to their original
language for everything else. So, it can be done, but it is annoying.
--
Nick Reinking -- eschewing obfuscation since 1981 -- Minneapolis, MN