plugin:securelogin
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
plugin:securelogin [2014-10-26 21:44] – old revision restored (2014-09-24 09:01) ach | plugin:securelogin [2023-10-30 23:29] (current) – Klap-in | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== | + | ====== |
---- plugin ---- | ---- plugin ---- | ||
- | description: | + | description: |
- | author | + | author |
- | email : securelogin@mattfiddles.com | + | |
type : admin, action | type : admin, action | ||
- | lastupdate : 2014-09-23 | + | lastupdate : 2020-05-27 |
- | compatible : 2009-03-12+, rincewind, angua, Adora Belle, Weatherwax, Binky, Ponder Stibbons | + | compatible : Rincewind, Angua, Adora Belle, Weatherwax, Binky, Ponder Stibbons, Hrun, Detritus, Elenor of Tsort, Frusterick Manners, Greebo |
depends | depends | ||
conflicts | conflicts | ||
Line 13: | Line 12: | ||
tags : authentication, | tags : authentication, | ||
- | downloadurl: | + | downloadurl: |
- | bugtracker : https:// | + | bugtracker |
- | sourcerepo : https:// | + | sourcerepo |
donationurl: | donationurl: | ||
---- | ---- | ||
Line 21: | Line 20: | ||
===== Description ===== | ===== Description ===== | ||
- | This plugin uses [[http:// | + | **Not Maintained** |
- | //The download location has changed to https://github.com/bagley/dokuwiki-securelogin/tarball/ | + | This plugin uses [[http://www-cs-students.stanford.edu/~tjw/jsbn/|Tom Wu's implementation of RSA algorithm in JavaScript]] |
- | With version 20091213 and + , whenever | + | When securelogin is used, there is always |
- | //login//, //profile// or //admin// page. | + | |
- | securelogin version 20091206 and + is compatible with the [[: | + | Also, whenever a password has to be entered, it is automagically encrypted by this plugin, be it on the //login//, //profile// or //admin// page. |
- | When securelogin is used, there is always a //use securelogin// | + | In short, it takes your password: |
+ | < | ||
+ | p: | ||
+ | </ | ||
- | ===== Download and Installation ===== | + | And instead has the login/ |
- | - Download and install the plugin using the [[plugin:plugin|Plugin Manager]], please use the download link given above. Refer to [[: | + | < |
- | - Go the admin pages and select // | + | securelogin:M66YMHFzjl9qXa96zr2JzDWlV3WTE+4mOgJZNNr3yW9xPzSORtSIjp+ZNczopNUp5N0M0ASiqutgf1nio+iTN.... |
- | - You're done. From then on, all passwords are encrypted before being sent. | + | </ |
- | ===== Changes | + | ==== Not Maintained |
- | * **20140923** Thanks to Hideaki | + | |
+ | While it still works with the listed versions, it's **not actively maintained**. Sometimes people help out here or in the forums, but be aware that no one is maintaining it. Adopters welcome. | ||
+ | |||
+ | Attacks against RSA have become easier. This plugin uses RSA and needs to be rewritten to use a different library/ | ||
+ | |||
+ | ==== Use HTTPS, CORS, etc ==== | ||
+ | |||
+ | This plugin was made when HTTPS was pricey (for a wiki), but we still wanted as much security as we could get. Now that one can easily have HTTPS, CORS, [[https:// | ||
+ | |||
+ | Because good security is like a onion. You want a lot of layers in order keep things protected even *when* some layers fail. | ||
+ | |||
+ | ==== Issue with CAPTCHA Plugin Login ==== | ||
+ | |||
+ | If the [[plugin: | ||
+ | |||
+ | A wrong password will still fail. And Securelogin will still encrypt the password. The login will just act as if CAPTCHA is not installed. The CAPTCHA plugin should still work elsewhere on the site. | ||
+ | |||
+ | ===== Installation and Setup ===== | ||
+ | |||
+ | - Search for and install the plugin using the [[[plugin: | ||
+ | - Once installed, go the Admin page and select " | ||
+ | - Under " | ||
+ | - Click the " | ||
+ | |||
+ | You're done. From then on, all passwords are encrypted before being sent. | ||
+ | |||
+ | To manually install the plugin, please see the [[: | ||
+ | |||
+ | ===== How it works ===== | ||
+ | |||
+ | Normally when you submit your ' | ||
+ | |||
+ | < | ||
+ | id:start | ||
+ | do:login | ||
+ | u:MyUser | ||
+ | p: | ||
+ | </ | ||
+ | |||
+ | You can easily see the ' | ||
+ | |||
+ | But when you use this plugin, it will encrypt the password, which can only be decrypted on the server. | ||
+ | |||
+ | < | ||
+ | id:start | ||
+ | do:login | ||
+ | u:MyUser | ||
+ | p:****** | ||
+ | use_securelogin: | ||
+ | securelogin: | ||
+ | </ | ||
+ | |||
+ | The javascript on the page takes the form's password variable `p=MySecretPa$$word`, | ||
+ | |||
+ | When the server receives the data, it sees that `use_securelogin` is set to `1` (true), so it knows the password was encrypted. It will decrypt the `securelogin` variable and separate it from the salt value. From this it gets the `p=MySecretPa$$word` value, which it sets so the Dokuwiki authentication routines have it. Dokuwiki can then compare the passwords like it normally does. | ||
+ | |||
+ | This same process happens during the add user, modify user, and edit profile options. This is what will be seen if someone views a user changing their password (with this plugin active): | ||
+ | |||
+ | < | ||
+ | do: | ||
+ | fullname: | ||
+ | email: | ||
+ | newpass: | ||
+ | passchk: | ||
+ | oldpass: | ||
+ | use_securelogin: | ||
+ | securelogin: | ||
+ | </ | ||
+ | |||
+ | In this case, all three passwords are encrypted into `securelogin`, | ||
+ | |||
+ | ===== Changlog ===== | ||
+ | * **20200527** | ||
+ | * Updated url to archived location of repo. | ||
+ | |||
+ | * * **20200418** | ||
+ | * Quoted array keys for php 7.2 | ||
+ | |||
+ | * **20180217** Thanks to [[https:// | ||
+ | * Fixed issue where second password was not encrypted on add/modify users | ||
+ | |||
+ | * **20150928** Thanks to Satoshi Sahara | ||
+ | * compatible with DokuWiki 2015-08-10 " | ||
+ | * replace deprecated split() function call | ||
+ | * prevent PHP error output | ||
+ | * use PHP5 constructor method for classes | ||
+ | * Improved coding style and added license header in source files | ||
+ | |||
+ | * **20140923** Thanks to [[https:// | ||
* Japanese language files added | * Japanese language files added | ||
* **20140417** | * **20140417** | ||
- | * Changed download link per [[izmmishao5@gmail.com|Mikhail I. Izmestev' | + | * Changed download link per Mikhail I. Izmestev' |
* Updates to plugin info in admin page, like the website link and more unified info. | * Updates to plugin info in admin page, like the website link and more unified info. | ||
Line 59: | Line 148: | ||
* added plugin.info.txt | * added plugin.info.txt | ||
- | * **20101101** Thanks to [[Christophe.Martin@gmx.com|Christophe Martin]] | + | * **20101101** Thanks to Christophe Martin |
* fix bug with some chars in passwords | * fix bug with some chars in passwords | ||
Line 65: | Line 154: | ||
* add support of usermanager plugin | * add support of usermanager plugin | ||
- | * **20091206** Thanks to [[Christophe.Martin@gmx.com|Christophe Martin]] | + | * **20091206** Thanks to Christophe Martin |
* fix unclosed %%<div id=" | * fix unclosed %%<div id=" | ||
* add showlogin compat | * add showlogin compat | ||
- | * **20090901** Thanks to [[hanaj1@fel.cvut.cz|Jan Hána]] | + | * **20090901** Thanks to Jan Hána |
* add Czech translation | * add Czech translation | ||
- | * **20090802** Thanks to [[Christophe.Martin@gmx.com|Christophe Martin]] | + | * **20090802** Thanks to Christophe Martin |
* fix problem with URL-rewrite DokuWiki method | * fix problem with URL-rewrite DokuWiki method | ||
* add French translation | * add French translation |
plugin/securelogin.1414356247.txt.gz · Last modified: 2014-10-26 21:44 by ach