forked from github/kensanata.oddmuse
dbcc6d1459
These flags are essential for security. The problem we are trying to
solve is the following:
1) you visit a wiki using HTTPS and you set your password.
2) you accidentally visit the same website using plain HTTP
3) although you don't notice, your cookies are sent over the insecure
connection.
Even if that website has redirection, even it denies any insecure
traffic, your cookie is still leaked. That's how cookies work.
"secure" and "httponly" flags solve this. It means that these cookies
will only be sent over a secure connection. If you have set your
password using HTTPS and later you visit the same wiki using plain HTTP,
it will look like you are not logged in (because these cookies will not
be used when you access the website using a non-secure connection).
If you have HTTPS on your website -- ALWAYS make sure that you set your
password using it. Alternatively redirect all non-secure requests to
HTTPS - that's even better.
If you set your password using HTTP, the same cookie will be used for
both HTTP and HTTPS requests - this is done for compatibility with
HTTP-only wikis.
$ENV{'HTTPS'} returns 'on' or empty string. 'on' is truthy so it
should not create any problems, we can safely use it.
I've tested this, it works as expected.
This is the README file distributed together with the Oddmuse script. To install the script, copy wiki.pl into your cgi-bin directory. This will store the pages in a temporary directory for you. In order to make this permanent, change the $DataDir option in the script from '/tmp/oddmuse' to 'oddmuse'. This will save the pages in a subdirectory of your cgi-bin directory. In order to start your wiki, click on the edit link (the first link below the navigation bar, at the bottom of the page). This will allow you to enter some text for this page. Click the Save button and you are done. To add new pages, edit the homepage and add links to new pages. Links are traditionally formed by ConcatenatingCapitalizedWords. This kind of link pattern is called a wiki word. Alternatively, put links in [[double square brackets]]. This kind of link pattern is called a free link. As long as the new pages don't exist, links to these pages are followed by a clickable question mark. Click on the question mark to create the new page. Enjoy your wiki experience. Visit http://www.oddmuse.org/ to learn more about the translation files and modules that are part of this package. ---------------------------------------------------------------------- Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. Both the GNU Free Documentation License, and the GNU General Public License are distributed together with this script. See the files FDL and GPL, respectively.