Learn about DokuWiki
Learn about DokuWiki
Also, whenever a password has to be entered, it is automagically encrypted by this plugin, be it on the login, profile or admin page.
securelogin version 20091206 and + is compatible with the showlogin plugin.
Normally when you submit your 'MySecretPa$$word', you will see it in the data transfer (using wireshark, tcpdump, developer tools, etc):
id:start do:login u:MyUser p:MySecretPa$$word
You can easily see the 'MySecretPa$$word' in the above example.
But when you use this plugin, it will encrypt the password, which can only be decrypted on the server.
id:start do:login u:MyUser p:****** use_securelogin:1 securelogin:M66YMHFzjl9qXa96zr2JzDWlV3WTE+4mOgJZNNr3yW9xPzSORtSIjp+ZNczopNUp5N0M0ASiqutgf1nio+iTNj3pS24kHD1LZb6GcG7cFvpr/uzfxJsO8jAbFD6/ZkB0xy9vBMabn3BYP7GWLrTR3b/7zNdla/FdqjX9U48dHMrcO2/ZFJKLsdzt84/bC+3xoV7/qC/BZO5AbQ37SvLEC7DaMTMtbSqlF573Y0iOMb3wYe1rj2m/HQiBM8ro25OBfnUxmgJFMVVkfkLdNUepRjUeeJSXF+R5XDcO2L4uX9D8AOE8nSecRn+0gqwz6PzPPqEpv60y0Io1rZXevG+I9Q==
When the server receives the data, it sees that `use_securelogin` is set to `1` (true), so it knows the password was encrypted. It will decrypt the `securelogin` variable and separate it from the salt value. From this it gets the `p=MySecretPa$$word` value, which it sets so the Dokuwiki authentication routines have it. Dokuwiki can then compare the passwords like it normally does.
This same process happens during the add user, modify user, and edit profile options. This is what will be seen if someone views a user changing their password (with this plugin active):
do:profile fullname:MyUser email:firstname.lastname@example.org newpass:****** passchk:****** oldpass:****** use_securelogin:1 securelogin:mCUIwYbHRgNjmAkr1CHssH8g1ZAgGKIxsFsMZUN1XM703V2g4hB5upzfJeVyE/aT9ByOYxQChbhRyJezjD7jO4LKwlgBR/Jnqkr+rUr70MLcoRybM8maTGdAGDM3VweSylqAGOASKb87hKYb0URUFo+yfGaKp572IWCfSZDHLrP1Hrs/f7EYKXozXpMNHA3l/VXNm2wGAwvkvnfFgkRZonrdfdUlLDC0OkBpa3WawMqoYb+1/kcuGsBcAve0Tp+uMQZw8FwHj8SOp9kJLUnEqXrop2pXa3mc9j8NS54CeCbJuJ0qfEhUHIE9/BHUgbmCPQV6XNWttZbRp8r1Q1dG/g==
In this case, all three passwords are encrypted into `securelogin`, and the post values replaced with stars.
For support for these older versions (if you really need outdated software) use https://github.com/bagley/dokuwiki-securelogin/archive/c1f0a0e018cedfd29a48ab157098efe480e37049.zip
Tested and found to not be functional under Angua. No checkbox appears on the login screen and I am not sure if the key generation is working. How can I test this? — greenseeker 2012/02/02 19:41
It works for me under Angua. I do get a checkbox. Did you manually generate a new key pair on the Admin page (&do=admin&page=securelogin)? If it works the public key should be shown there. — Rik Blok 2012/02/02 20:17
I did generate the new key, or at least I tried. When I click Generate the page reloads but nothing visibly happens. I tried all available key length options and got the same result. — greenseeker 2012/02/02 23:10
I'm not the plugin author so I'm just guessing but have you checked your file/folder permissions? Maybe the keys can't be written on the server. I don't know where they're supposed to be stored. — Rik Blok 2012/02/03 20:29
The key is stored in
data/cache/securelogin.*. — Casper 2012/02/03 22:34
Just checked the permissions again and they're all good.
data/cache/securelogin.keyboth existed with a Feb 2 date, so they were created. I delete and recreated them again but still no checkbox at login. — greenseeker 2012/02/04 17:30
Maybe a caching (⇒ delete cache) or template (try default template) problem? — Casper 2012/02/04 19:54
It works for me with the latest Arctic template on Angua. I did have to regenerate my key at some point (but I don't remember if it was related to a DokuWiki or template update). — Rik Blok 2012/02/08 00:30
I'm not sure what the cause was, but it started working for me after changing to the default template and then back to arctic again. I did this yesterday and it didn't have any effect. — greenseeker 2012/02/08 01:25
I can't generate key: I use Adora Belle. Permission rights of data/cache are ok, ma none of the files above (securelogin.*) have been generated. Is the plugin working with Adora Belle? — fabrizio 2012/10/16