data/TWiki/TWikiUserAuthentication.txt,v
author Colas Nahaboo <colas@nahaboo.net>
Sat, 26 Jan 2008 15:50:53 +0100
changeset 0 414e01d06fd5
child 2 7bc60a767fa4
permissions -rw-r--r--
RELEASE 4.2.0 freetown
colas@0
     1
head	1.24;
colas@0
     2
access;
colas@0
     3
symbols;
colas@0
     4
locks; strict;
colas@0
     5
comment	@# @;
colas@0
     6
colas@0
     7
colas@0
     8
1.24
colas@0
     9
date	2008.01.22.03.21.25;	author TWikiContributor;	state Exp;
colas@0
    10
branches;
colas@0
    11
next	1.23;
colas@0
    12
colas@0
    13
1.23
colas@0
    14
date	2007.01.16.04.12.04;	author TWikiContributor;	state Exp;
colas@0
    15
branches;
colas@0
    16
next	1.22;
colas@0
    17
colas@0
    18
1.22
colas@0
    19
date	2006.06.25.16.26.27;	author TWikiContributor;	state Exp;
colas@0
    20
branches;
colas@0
    21
next	1.21;
colas@0
    22
colas@0
    23
1.21
colas@0
    24
date	2006.04.01.05.55.16;	author TWikiContributor;	state Exp;
colas@0
    25
branches;
colas@0
    26
next	1.20;
colas@0
    27
colas@0
    28
1.20
colas@0
    29
date	2006.02.01.12.01.20;	author TWikiContributor;	state Exp;
colas@0
    30
branches;
colas@0
    31
next	1.19;
colas@0
    32
colas@0
    33
1.19
colas@0
    34
date	2004.08.15.21.29.04;	author PeterThoeny;	state Exp;
colas@0
    35
branches;
colas@0
    36
next	1.18;
colas@0
    37
colas@0
    38
1.18
colas@0
    39
date	2004.04.25.07.15.24;	author PeterThoeny;	state Exp;
colas@0
    40
branches;
colas@0
    41
next	1.17;
colas@0
    42
colas@0
    43
1.17
colas@0
    44
date	2003.05.29.03.28.45;	author PeterThoeny;	state Exp;
colas@0
    45
branches;
colas@0
    46
next	1.16;
colas@0
    47
colas@0
    48
1.16
colas@0
    49
date	2003.04.14.06.55.29;	author PeterThoeny;	state Exp;
colas@0
    50
branches;
colas@0
    51
next	1.15;
colas@0
    52
colas@0
    53
1.15
colas@0
    54
date	2002.12.29.02.04.30;	author PeterThoeny;	state Exp;
colas@0
    55
branches;
colas@0
    56
next	1.14;
colas@0
    57
colas@0
    58
1.14
colas@0
    59
date	2002.05.19.15.02.22;	author MikeMannix;	state Exp;
colas@0
    60
branches;
colas@0
    61
next	1.13;
colas@0
    62
colas@0
    63
1.13
colas@0
    64
date	2001.09.15.09.18.01;	author MikeMannix;	state Exp;
colas@0
    65
branches;
colas@0
    66
next	1.12;
colas@0
    67
colas@0
    68
1.12
colas@0
    69
date	2001.09.14.08.02.14;	author PeterThoeny;	state Exp;
colas@0
    70
branches;
colas@0
    71
next	1.11;
colas@0
    72
colas@0
    73
1.11
colas@0
    74
date	2001.09.12.07.34.40;	author MikeMannix;	state Exp;
colas@0
    75
branches;
colas@0
    76
next	1.10;
colas@0
    77
colas@0
    78
1.10
colas@0
    79
date	2001.09.07.10.05.18;	author MikeMannix;	state Exp;
colas@0
    80
branches;
colas@0
    81
next	1.9;
colas@0
    82
colas@0
    83
1.9
colas@0
    84
date	2001.09.06.21.24.47;	author MikeMannix;	state Exp;
colas@0
    85
branches;
colas@0
    86
next	1.8;
colas@0
    87
colas@0
    88
1.8
colas@0
    89
date	2001.09.06.05.26.41;	author MikeMannix;	state Exp;
colas@0
    90
branches;
colas@0
    91
next	1.7;
colas@0
    92
colas@0
    93
1.7
colas@0
    94
date	2001.09.04.01.41.41;	author MikeMannix;	state Exp;
colas@0
    95
branches;
colas@0
    96
next	1.6;
colas@0
    97
colas@0
    98
1.6
colas@0
    99
date	2001.09.03.07.27.22;	author MikeMannix;	state Exp;
colas@0
   100
branches;
colas@0
   101
next	1.5;
colas@0
   102
colas@0
   103
1.5
colas@0
   104
date	2001.09.02.05.32.08;	author MikeMannix;	state Exp;
colas@0
   105
branches;
colas@0
   106
next	1.4;
colas@0
   107
colas@0
   108
1.4
colas@0
   109
date	2001.09.01.04.47.30;	author MikeMannix;	state Exp;
colas@0
   110
branches;
colas@0
   111
next	1.3;
colas@0
   112
colas@0
   113
1.3
colas@0
   114
date	2001.08.29.15.20.37;	author MikeMannix;	state Exp;
colas@0
   115
branches;
colas@0
   116
next	1.2;
colas@0
   117
colas@0
   118
1.2
colas@0
   119
date	2001.03.16.09.09.58;	author PeterThoeny;	state Exp;
colas@0
   120
branches;
colas@0
   121
next	1.1;
colas@0
   122
colas@0
   123
1.1
colas@0
   124
date	2000.11.02.09.23.06;	author PeterThoeny;	state Exp;
colas@0
   125
branches;
colas@0
   126
next	;
colas@0
   127
colas@0
   128
colas@0
   129
desc
colas@0
   130
@none
colas@0
   131
@
colas@0
   132
colas@0
   133
colas@0
   134
1.24
colas@0
   135
log
colas@0
   136
@buildrelease
colas@0
   137
@
colas@0
   138
text
colas@0
   139
@%META:TOPICINFO{author="TWikiContributor" date="1176971123" format="1.0" version="24"}%
colas@0
   140
%STARTINCLUDE%
colas@0
   141
---+ TWiki User Authentication
colas@0
   142
colas@0
   143
_TWiki site access control and user activity tracking options_
colas@0
   144
colas@0
   145
%TOC%
colas@0
   146
colas@0
   147
---++ Overview
colas@0
   148
colas@0
   149
Authentication, or "login", is the process by which a user lets TWiki know who they are.
colas@0
   150
colas@0
   151
Authentication isn't just to do with access control. TWiki uses authentication to identify users, so it can keep track of who made changes, and manage a wide range of personal settings. With authentication enabled, users can personalise TWiki and contribute as recognised individuals, instead of shadows.
colas@0
   152
colas@0
   153
TWiki authentication is very flexible, and can either stand alone or integrate with existing authentication schemes. You can set up TWiki to require authentication for every access, or only for changes. Authentication is also essential for access control.
colas@0
   154
colas@0
   155
*Quick Authentication Test* - Use the %<nop>USERINFO% variable to return your current identity:
colas@0
   156
   * You are %USERINFO% 
colas@0
   157
colas@0
   158
TWiki user authentication is split into four sections; password management, user mapping, user registration, and login management. Password management deals with how users personal data is stored. Registration deals with how new users are added to the wiki. Login management deals with how users log in.
colas@0
   159
colas@0
   160
Once a user is logged on, they can be remembered using a _Client Session_ stored in a cookie in the browser (or by other less elegant means if the user has disabled cookies). This avoids them having to log on again and again.
colas@0
   161
colas@0
   162
TWiki user authentication is configured through the Security Settings pane in the [[%SCRIPTURLPATH{"configure"}%][configure]] interface.
colas@0
   163
colas@0
   164
Please note FileAttachments are not protected by TWiki User Authentication. 
colas@0
   165
colas@0
   166
__%T% Tip:__ TWiki:TWiki.TWikiUserAuthenticationSupplement on TWiki.org has supplemental documentation on user authentication.
colas@0
   167
colas@0
   168
#PasswordManagement
colas@0
   169
---++ Password Management
colas@0
   170
colas@0
   171
As shipped, TWiki supports the Apache 'htpasswd' password manager. This manager supports the use of =.htpasswd= files on the server. These files can be unique to TWiki, or can be shared with other applications (such as an Apache webserver). A variety of password encodings are supported for flexibility when re-using existing files. See the descriptive comments in the Security Settings section of the [[%SCRIPTURLPATH{"configure"}%][configure] interface for more details.
colas@0
   172
colas@0
   173
You can easily plug in alternate password management modules to support interfaces to other third-party authentication databases.
colas@0
   174
colas@0
   175
#UserMapping
colas@0
   176
---++ User Mapping
colas@0
   177
colas@0
   178
Often when you are using an external authentication method, you want to map from an unfriendly "login name" to a more friendly WikiName. Also, an external authentication database may well have user information you want to import to TWiki, such as user groups.
colas@0
   179
colas@0
   180
By default, TWiki supports mapping of usernames to wikinames, and supports TWiki groups internal to TWiki. If you want, you can plug in an alternate user mapping module to support import of groups etc.
colas@0
   181
colas@0
   182
#UserRegistration
colas@0
   183
---++ User Registration
colas@0
   184
colas@0
   185
New user registration uses the password manager to set and change passwords and store email addresses. It is also responsible for the new user verification process. the registration process supports *single user registration* via the TWikiRegistration page, and *bulk user registration* via the BulkRegistration page (for admins only).
colas@0
   186
colas@0
   187
The registration process is also responsible for creating user topics, and setting up the mapping information used by the User Mapping support.
colas@0
   188
colas@0
   189
#LoginManagement
colas@0
   190
---++ Login Management
colas@0
   191
colas@0
   192
Login management controls the way users have to log in. There are three basic options; no login, login via a TWiki login page, and login using the webserver authentication support.
colas@0
   193
colas@0
   194
#NoLogin
colas@0
   195
---+++ No Login (select =none= in configure)
colas@0
   196
colas@0
   197
Does exactly what it says on the tin. Forget about authentication to make your site completely public - anyone can browse and edit freely, in classic Wiki style. All visitors are given the %USERSWEB%.TWikiGuest default identity, so you can't track individual user activity.
colas@0
   198
colas@0
   199
__%X% Note:__ This setup is *not* recommended on public websites for security reasons; anyone would be able to change system settings and perform tasks usually restricted to administrators.
colas@0
   200
colas@0
   201
#TemplateLogin
colas@0
   202
---+++ Template Login (select =TWiki::Client::TemplateLogin= in configure)
colas@0
   203
colas@0
   204
Template Login asks for a username and password in a web page, and processes them using whatever Password Manager you choose. Users can log in and log out. Client Sessions are used to remember users. Users can choose to have their session remembered so they will automatically be logged in the next time they start their browser.
colas@0
   205
colas@0
   206
---++++ Enabling Template Login
colas@0
   207
   1 Use the [[%SCRIPTURLPATH{"configure"}%][configure]] interface to
colas@0
   208
      1 select the =TWiki::Client::TemplateLogin= login manager (on the Security Settings pane).
colas@0
   209
      1 select the appropriate password manager for your system, or provide your own.
colas@0
   210
   1 Register yourself in the TWikiRegistration topic.
colas@0
   211
    <br /> %H% Check that the password manager recognises the new user. If you are using =.htpasswd= files, check that a new line with the username and encrypted password is added to the =.htpasswd= file. If not, you probably got a path wrong, or the permissions may not allow the webserver user to write to that file.
colas@0
   212
   1 Create a new topic to check if authentication works.
colas@0
   213
   1 *Edit the %USERSWEB%.TWikiAdminGroup topic in the %USERSWEB% web to include users with system administrator status.*
colas@0
   214
    <br /> %X% *This is a very important step*, as users in this group can access _all_ topics, independent of TWiki access controls.
colas@0
   215
colas@0
   216
TWikiAccessControl has more information on setting up access controls.
colas@0
   217
colas@0
   218
%X% At this time TWikiAccessControls cannot control access to files in the =pub= area, unless they are only accessed through the =viewfile= script. If your =pub= directory is set up in the webserver to allow open access you may want to add =.htaccess= files in there to restrict access.
colas@0
   219
colas@0
   220
%T% You can create a custom version of the TWikiRegistration form by copying the topic, and then deleting or adding input tags in your copy. The =name=""= parameter of the input tags must start with: ="Twk0..."= (if this is an optional entry), or ="Twk1..."= (if this is a required entry). This ensures that the fields are carried over into the user home page correctly. Do *not* modify the version of TWikiRegistration shipped with TWiki, as your changes will be overwritten next time you upgrade.
colas@0
   221
colas@0
   222
%T% The default new user template page is in [[%SYSTEMWEB%.NewUserTemplate][%SYSTEMWEB%.NewUserTemplate]]. The same variables get expanded as in the [[TWikiTemplates#Template_Topics][template topics]]. You can create a custom new user home page by creating the [[%USERSWEB%.NewUserTemplate][%USERSWEB%.NewUserTemplate]] topic, which will then override the default.
colas@0
   223
colas@0
   224
#ApacheLogin
colas@0
   225
---+++ Apache Login (select =TWiki::Client::ApacheLogin= in configure)
colas@0
   226
colas@0
   227
Using this method TWiki does not authenticate users internally. Instead it depends on the =REMOTE_USER= environment variable, which is set when you enable authentication in the webserver.
colas@0
   228
colas@0
   229
The advantage of this scheme is that if you have an existing website authentication scheme using Apache modules such as =mod_auth_ldap= or =mod_auth_mysql= you can just plug in directly to them.
colas@0
   230
colas@0
   231
The disadvantage is that because the user identity is cached in the browser, you can log in, but you can't log out again unless you restart the browser.
colas@0
   232
colas@0
   233
TWiki maps the =REMOTE_USER= that was used to log in to the webserver to a WikiName using the table in %USERSWEB%.TWikiUsers. This table is updated whenever a user registers, so users can choose not to register (in which case their webserver login name is used for their signature) or register (in which case that login name is mapped to their WikiName).
colas@0
   234
colas@0
   235
The same private =.htpasswd= file used in TWiki Template Login can be used to authenticate Apache users, using the Apache Basic Authentication support.
colas@0
   236
colas@0
   237
*Warning:* Do *not* use the Apache =htpasswd= program with =.htpasswd= files generated by TWiki! =htpasswd= wipes out email addresses that TWiki plants in the info fields of this file.
colas@0
   238
colas@0
   239
---++++ Enabling Apache Login using =mod_auth=
colas@0
   240
You can use any other Apache authentication module that sets REMOTE_USER.
colas@0
   241
   1 Use [[%SCRIPTURLPATH{"configure"}%#LoginManager][configure]] to select the =TWiki::Client::ApacheLogin= login manager.
colas@0
   242
   1 Use [[%SCRIPTURLPATH{"configure"}%#PasswordManager][configure]] to set up TWiki to create the right kind of =.htpasswd= entries.
colas@0
   243
   1 Create a =.htaccess= file in the =twiki/bin= directory.<br />%H% There is an template for this file in =twiki/bin/.htaccess.txt= that you can copy and change. The comments in the file explain what need to be done.<br />%H% If you got it right, the browser should now ask for login name and password when you click on the <u>Edit</u>. If =.htaccess= does not have the desired effect, you may need to "AllowOverride All" for the directory in =httpd.conf= (if you have root access; otherwise, e-mail web server support)
colas@0
   244
    <br /> %X% At this time TWikiAccessControls do not control access to files in the =pub= area, unless they are only accessed through the =viewfile= script. If your =pub= directory is set up to allow open access you may want to add =.htaccess= files in there as well to restrict access 
colas@0
   245
   1 You can create a custom version of the TWikiRegistration form by copying the default topic, and then deleting or adding input tags in your copy. The =name=""= parameter of the input tags must start with: ="Twk0..."= (if this is an optional entry), or ="Twk1..."= (if this is a required entry). This ensures that the fields are carried over into the user home page correctly. Do *not* modify the version of TWikiRegistration shipped with TWiki, as your changes will be overwritten next time you upgrade.
colas@0
   246
    <br />The default new user template page is in [[%SYSTEMWEB%.NewUserTemplate][%SYSTEMWEB%.NewUserTemplate]]. The same variables get expanded as in the [[TWikiTemplates#Template_Topics][template topics]]. You can create a custom new user home page by creating the [[%USERSWEB%.NewUserTemplate][%USERSWEB%.NewUserTemplate]] topic, which will then override the default.
colas@0
   247
   1 Register yourself in the TWikiRegistration topic.
colas@0
   248
    <br /> %H% Check that a new line with the username and encrypted password is added to the =.htpasswd= file. If not, you may have got a path wrong, or the permissions may not allow the webserver user to write to that file.
colas@0
   249
   1 Create a new topic to check if authentication works.
colas@0
   250
   1 *Edit the %USERSWEB%.TWikiAdminGroup topic in the %USERSWEB% web to include users with system administrator status.*
colas@0
   251
    <br /> %X% *This is a very important step*, as users in this group can access _all_ topics, independent of TWiki access controls.
colas@0
   252
TWikiAccessControl has more information on setting up access controls.
colas@0
   253
colas@0
   254
---++++ Logons via bin/logon
colas@0
   255
colas@0
   256
Any time a user enters a page that needs authentication, they will be forced to log on. It may be convenient to have a "logon" as well, to give the system a chance to identify the user and retrieve their personal settings. It may be convenient to force them to log on.
colas@0
   257
colas@0
   258
The ==bin/logon== script accomplishes this. The ==bin/logon== script must be setup in the ==bin/.htaccess== file to be a script which requires a =valid user=. However, once authenticated, it will simply redirect the user to the view URL for the page from which the =logon= script was linked.
colas@0
   259
colas@0
   260
#TrackSessions
colas@0
   261
---++ Sessions
colas@0
   262
colas@0
   263
TWiki uses the CPAN:CGI::Session and CPAN:CGI::Cookie modules to track sessions. These modules are de facto standards for session management among Perl programmers. If you can't use Cookies for any reason, CPAN:CGI::Session also supports session tracking using the client IP address.
colas@0
   264
colas@0
   265
You don't _have_ to enable sessions to support logins in TWiki. However it is *strongly* recommended. TWiki needs some way to remember the fact that you logged in from a particular browser, and it uses sessions to do this. If you don;t enable sessions, TWiki will try hard to remember you, but due to limitations in the browsers it may also forget you (and then suddenly remember you again later!). So for the best user experience, you should enable sessions.
colas@0
   266
colas@0
   267
There are a number of TWikiVariables available that you can use to interrogate your current session. You can even add your own session variables to the TWiki cookie. Session variables are referred to as "sticky" variables.
colas@0
   268
colas@0
   269
---+++ Getting, Setting, and Clearing Session Variables
colas@0
   270
colas@0
   271
You can get, set, and clear session variables from within TWiki web pages or by using script parameters. This allows you to use the session as a personal "persistent memory space" that is not lost until the web browser is closed. Also note that if a session variable has the same name as a TWiki preference, the session variables value takes precedence over the TWiki preference. *This allows for per-session preferences.*
colas@0
   272
colas@0
   273
To make use of these features, use the tags:
colas@0
   274
colas@0
   275
<verbatim>
colas@0
   276
%SESSION_VARIABLE{ "varName" }%
colas@0
   277
%SESSION_VARIABLE{ "varName" set="varValue" }%
colas@0
   278
%SESSION_VARIABLE{ "varName" clear="" }%
colas@0
   279
</verbatim>
colas@0
   280
colas@0
   281
Note that you *cannot* override access controls preferences this way.
colas@0
   282
colas@0
   283
---+++ Cookies and Transparent Session IDs
colas@0
   284
colas@0
   285
TWiki normally uses cookies to store session information on a client computer. Cookies are a common way to pass session information from client to server. TWiki cookies simply hold a unique session identifier that is used to look up a database of session information on the TWiki server.
colas@0
   286
colas@0
   287
For a number of reasons, it may not be possible to use cookies. In this case, TWiki has a fallback mechanism; it will automatically rewrite every internal URL it sees on pages being generated to one that also passes session information.
colas@0
   288
colas@0
   289
#UsernameVsLoginName
colas@0
   290
---++ TWiki Username vs. Login Username
colas@0
   291
colas@0
   292
This section applies only if you are using authentication with existing login names (i.e. mapping from login names to WikiNames).
colas@0
   293
colas@0
   294
<nop>%WIKITOOLNAME% internally manages two usernames: Login Username and TWiki Username.
colas@0
   295
colas@0
   296
   * *Login Username:* When you login to the intranet, you use your existing login username, ex: ==pthoeny==. This name is normally passed to TWiki by the ==REMOTE_USER== environment variable, and used internally. Login Usernames are maintained by your system administrator.
colas@0
   297
colas@0
   298
   * *TWiki Username:* Your name in WikiNotation, ex: ==PeterThoeny==, is recorded when you register using TWikiRegistration; doing so also generates a personal home page in the %USERSWEB% web.
colas@0
   299
colas@0
   300
TWiki can automatically map an Intranet (Login) Username to a TWiki Username if the {AllowLoginName} is enabled in [[%SCRIPTURLPATH{"configure"}%][configure]]. The default is to use your WikiName as a login name.
colas@0
   301
colas@0
   302
<blockquote>
colas@0
   303
__NOTE:__ *To correctly enter a WikiName* - your own or someone else's - be sure to include the %USERSWEB% web name in front of the Wiki username, followed by a period, and no spaces, for example ==%USERSWEB%.<nop>WikiUsername== or ==%<nop>USERSWEB%.<nop>WikiUsername==.
colas@0
   304
This points ==<nop>WikiUsername== to the %USERSWEB% web, where user home pages are located, no matter which web it's entered in. Without the web prefix, the name appears as a NewTopic everywhere but in the %USERSWEB% web.
colas@0
   305
</blockquote>
colas@0
   306
colas@0
   307
#ChangingPasswords
colas@0
   308
---++ Changing Passwords
colas@0
   309
colas@0
   310
If your {PasswordManager} supports password changing, you can change and reset passwords using forms on regular pages.
colas@0
   311
colas@0
   312
   * The ChangePassword form ( ==TWiki/ChangePassword== )
colas@0
   313
   * The ResetPassword form ( ==TWiki/ResetPassword== )
colas@0
   314
colas@0
   315
#ChangingEmails
colas@0
   316
---++ Changing E-mail Addresses
colas@0
   317
colas@0
   318
If the active {PasswordManager} supports storage and retrieval of user e-mail addresses, you can change your e-mail using a regular page. As shipped, this is true only for the Apache 'htpasswd' password manager.
colas@0
   319
colas@0
   320
   * The ChangeEmailAddress form ( ==TWiki/ChangeEmailAddress== )
colas@0
   321
colas@0
   322
#IndividualScripts
colas@0
   323
---++ Controlling access to individual scripts
colas@0
   324
You may want to add or remove scripts from the list of scripts that require authentication. The method for doing this is different for each of Template Login and Apache Login.
colas@0
   325
   * For Template Login, update the {AuthScripts} list using [[%SCRIPTURLPATH{"configure"}%][configure]]
colas@0
   326
   * For Apache Login, add/remove the script from =.htaccess=
colas@0
   327
#HowTo
colas@0
   328
---++ How to choose an authentication method
colas@0
   329
colas@0
   330
One of the key features of TWiki is that it is possible to add HTML to topics. No authentication method is 100% secure on a website where end users can add HTML, as there is always a risk that a malicious user can add code to a topic that gathers user information, such as session IDs. The TWiki developers have been forced to make certain tradeoffs, in the pursuit of efficiency, that may be exploited by a hacker.
colas@0
   331
colas@0
   332
This section discusses some of the known risks. You can be sure that any potential hackers have read this section as well!
colas@0
   333
colas@0
   334
At one extreme, the most secure method is to use TWiki via SSL (Secure Sockets Layer), with a login manager installed and Client Sessions turned *off*.
colas@0
   335
colas@0
   336
Using TWiki with sessions turned off is a pain, though, as with all the login managers there are occasions where TWiki will forget who you are. The best user experience is achieved with sessions turned *on*.
colas@0
   337
colas@0
   338
As soon as you allow the server to maintain information about a logged-in user, you open a door to potential attacks. There are a variety of ways a malicious user can pervert TWiki to obtain another users session ID, the most common of which is known as a [[http://www.perl.com/pub/a/2002/02/20/css.html][cross-site scripting]] attack. Once a hacker has an SID they can pretend to be that user.
colas@0
   339
colas@0
   340
To help prevent these sorts of attacks, TWiki supports *IP matching*, which ensures that the IP address of the user requesting a specific session is the same as the IP address of the user who created the session. This works well as long as IP addresses are unique to each client, and as long as the IP address of the client can't be faked.
colas@0
   341
colas@0
   342
Session IDs are usually stored by TWiki in cookies, which are stored in the client browser. Cookies work well, but not all environments or users permit cookies to be stored in browsers. So TWiki also supports two other methods of determining the session ID. The first method uses the client IP address to determine the session ID. The second uses a rewriting method that rewrites local URLs in TWiki pages to include the session ID in the URL. 
colas@0
   343
colas@0
   344
The first method works well as long as IP addresses are *unique* to each individual client, and client IP addresses can't be faked by a hacker. If IP addresses are unique and can't be faked, it is almost as secure as cookies + IP matching, so it ranks as the *fourth most secure method*.
colas@0
   345
colas@0
   346
If you have to turn IP matching off, and cookies can't be relied on, then you may have to rely on the second method, URL rewriting. This method exposes the session IDs very publicly, so should be regarded as "rather dodgy".
colas@0
   347
colas@0
   348
Most TWiki sites don't use SSL, so, as is the case with *most* sites that don't use SSL, there is always a possibility that a password could be picked out of the aether. Browsers do not encrypt passwords sent over non-SSL links, so using Apache Login is no more secure than Template Login.
colas@0
   349
colas@0
   350
Of the two shipped login managers, Apache Login is probably the most useful. It lets you do this sort of thing:
colas@0
   351
<tt>wget --http-user=RogerRabbit --http-password=i'mnottelling <nop>http://www.example.com/bin/save/Sandbox/StuffAUTOINC0?text=hohoho,%20this%20is%20interesting</tt>
colas@0
   352
i.e. pass in a user and password to a request from the command-line. However it doesn't let you log out.
colas@0
   353
colas@0
   354
Template Login degrades to url re-writing when you use a client like dillo that does not support cookies. However, you can log out and back in as a different user.
colas@0
   355
colas@0
   356
Finally, it would be really neat if someone was to work out how to use certificates to identify users.....
colas@0
   357
colas@0
   358
See TWiki:TWiki.SecuringTWikiSite for more information.
colas@0
   359
colas@0
   360
%STOPINCLUDE%
colas@0
   361
__Related Topics:__ AdminDocumentationCategory, TWikiAccessControl, TWiki:TWiki.TWikiUserAuthenticationSupplement, TWiki:TWiki.SecuringTWikiSite
colas@0
   362
colas@0
   363
-- __Contributors:__ TWiki:Main.PeterThoeny, TWiki:Main.MikeMannix, TWiki:Main.CrawfordCurrie
colas@0
   364
@
colas@0
   365
colas@0
   366
colas@0
   367
1.23
colas@0
   368
log
colas@0
   369
@buildrelease
colas@0
   370
@
colas@0
   371
text
colas@0
   372
@d1 1
colas@0
   373
a1 2
colas@0
   374
%META:TOPICINFO{author="TWikiContributor" date="1159684864" format="1.0" version="23"}%
colas@0
   375
%TOC%
colas@0
   376
d3 1
colas@0
   377
a3 1
colas@0
   378
---# TWiki User Authentication
colas@0
   379
d7 2
colas@0
   380
d30 1
colas@0
   381
d37 1
colas@0
   382
d44 1
colas@0
   383
d51 1
colas@0
   384
d56 1
colas@0
   385
d59 1
colas@0
   386
a59 1
colas@0
   387
Does exactly what it says on the tin. Forget about authentication to make your site completely public - anyone can browse and edit freely, in classic Wiki style. All visitors are given the %MAINWEB%.TWikiGuest default identity, so you can't track individual user activity.
colas@0
   388
d61 1
colas@0
   389
a61 1
colas@0
   390
__%X% Note:__ This setup is *not* recommended on public websites for security reasons; anyone would be able to change system settings and perform tasks usually restricted to the %MAINWEB%.TWikiAdminGroup.
colas@0
   391
d63 1
colas@0
   392
d66 1
colas@0
   393
a66 1
colas@0
   394
Template Login asks for a username and password in a web page, and processes them using whatever Password Manager you choose. Users can log in and log out. Client Sessions are used to remember users.
colas@0
   395
d75 1
colas@0
   396
a75 1
colas@0
   397
   1 *Edit the %MAINWEB%.TWikiAdminGroup topic in the %MAINWEB% web to include users with system administrator status.*
colas@0
   398
d82 1
colas@0
   399
a82 1
colas@0
   400
%T% You can create a custom version of the TWikiRegistration form by deleting or adding input tags. The =name=""= parameter of the input tags must start with: ="Twk0..."= (if this is an optional entry), or ="Twk1..."= (if this is a required entry). This ensures that the fields are carried over into the user home page correctly.
colas@0
   401
d84 1
colas@0
   402
a84 1
colas@0
   403
%T% You can customize the default user home page in NewUserTemplate. The same variables get expanded as in the [[TWikiTemplates#Template_Topics][template topics]]
colas@0
   404
d86 1
colas@0
   405
d95 1
colas@0
   406
a95 1
colas@0
   407
TWiki maps the =REMOTE_USER= that was used to log in to the webserver to a WikiName using the table in %MAINWEB%.TWikiUsers. This table is updated whenever a user registers, so users can choose not to register (in which case their webserver login name is used for their signature) or register (in which case that login name is mapped to their WikiName).
colas@0
   408
d107 2
colas@0
   409
a108 2
colas@0
   410
   1 You can create a custom version of TWikiRegistration by deleting or adding input tags. The =name=""= parameter of the input tags must start with: ="Twk0..."= (if this is an optional entry), or ="Twk1..."= (if this is a required entry). This ensures that the fields are carried over into the user home page correctly.
colas@0
   411
    <br />You can customize the default user home page in NewUserTemplate. The same variables get expanded as in the [[TWikiTemplates#Template_Topics][template topics]]
colas@0
   412
d112 1
colas@0
   413
a112 1
colas@0
   414
   1 *Edit the %MAINWEB%.TWikiAdminGroup topic in the %MAINWEB% web to include users with system administrator status.*
colas@0
   415
d122 1
colas@0
   416
d151 1
colas@0
   417
d160 1
colas@0
   418
a160 1
colas@0
   419
   * *TWiki Username:* Your name in WikiNotation, ex: ==PeterThoeny==, is recorded when you register using TWikiRegistration; doing so also generates a personal home page in the %MAINWEB% web.
colas@0
   420
d165 2
colas@0
   421
a166 2
colas@0
   422
__NOTE:__ *To correctly enter a WikiName* - your own or someone else's - be sure to include the %MAINWEB% web name in front of the Wiki username, followed by a period, and no spaces, for example ==%MAINWEB%.<nop>WikiUsername== or ==%<nop>MAINWEB%.<nop>WikiUsername==.
colas@0
   423
This points ==<nop>WikiUsername== to the %MAINWEB% web, where user home pages are located, no matter which web it's entered in. Without the web prefix, the name appears as a NewTopic everywhere but in the %MAINWEB% web.
colas@0
   424
@
colas@0
   425
colas@0
   426
colas@0
   427
1.22
colas@0
   428
log
colas@0
   429
@buildrelease
colas@0
   430
@
colas@0
   431
text
colas@0
   432
@d1 1
colas@0
   433
a1 1
colas@0
   434
%META:TOPICINFO{author="TWikiContributor" date="1111929255" format="1.0" version="22"}%
colas@0
   435
d16 2
colas@0
   436
a17 2
colas@0
   437
*Quick Authentication Test* - Use the %<nop>WIKIUSERNAME% variable to return your current identity:
colas@0
   438
   * You are %WIKIUSERNAME% 
colas@0
   439
d19 1
colas@0
   440
a19 1
colas@0
   441
TWiki user authentication is split into three sections; password management, user registration, and login management. Password management deals with how users are recognised (authenticated). Registration deals with how new users are added to the wiki. Login management deals with how users log in.
colas@0
   442
d21 3
colas@0
   443
a23 1
colas@0
   444
Once a user is logged on, they are remembered using a "session id" stored in a cookie in the browser (or by other less elegant means if the user has disabled cookies). This avoids them having to log on again and again.
colas@0
   445
d31 5
colas@0
   446
a35 1
colas@0
   447
As shipped, TWiki supports the Apache 'htpasswd' password manager. This manager supports the use of =.htpasswd= files on the server. These files can be unique to TWiki, or can be shared with other applications (such as an Apache webserver). A variety of password encodings are supported for flexibility when re-using existing files. See the descriptive comments in the Security Settings section of the [[%SCRIPTURLPATH{"configure"}%][ =configure= ]] interface for more details.
colas@0
   448
d37 1
colas@0
   449
a37 1
colas@0
   450
---++ New User Registration
colas@0
   451
d39 1
colas@0
   452
a39 1
colas@0
   453
New user registration uses the password manager to set and change passwords. It is also responsible for the new user verification process. the registration process supports *single user registration* via the TWikiRegistration page, and *bulk user registration* via the BulkRegistration page (for admins only).
colas@0
   454
d41 5
colas@0
   455
a45 1
colas@0
   456
The registration process is responsible for creating user topics.
colas@0
   457
a50 2
colas@0
   458
You can select your chosen login through the Security Settings pane in the =configure= interface.
colas@0
   459
colas@0
   460
d55 1
colas@0
   461
a55 1
colas@0
   462
__%X% Note:__ This setup is not recommended on public websites for security reasons; anyone would be able to change system settings and perform tasks usually restricted to the %MAINWEB%.TWikiAdminGroup.
colas@0
   463
d59 1
colas@0
   464
a59 1
colas@0
   465
Template Login asks for a username and password in a web page, and processes them using whatever Password Manager you choose. Users can log in and log out.
colas@0
   466
d62 1
colas@0
   467
a62 1
colas@0
   468
   1 Use the [[%SCRIPTURLPATH{"configure"}%][ =configure= ]] interface to
colas@0
   469
d89 1
colas@0
   470
a89 1
colas@0
   471
The same private =.htpasswd= file used in TWiki Template Login can be used to authenticate Apache users, using the Apache Basic Authentication support. This allows the TWiki registration support to maintain usernames and passwords.
colas@0
   472
d116 3
colas@0
   473
a118 1
colas@0
   474
TWiki uses the CPAN:CGI::Session and CPAN:CGI::Cookie modules to track sessions using cookies. These modules are de facto standards for session management among Perl programmers. If you can't use Cookies for any reason, CPAN:CGI::Session also supports session tracking using the client IP address. See [[#HowTo][How to choose an authentication method]] for a discussion of the pros and cons of the various authentication methods.
colas@0
   475
d152 1
colas@0
   476
a152 1
colas@0
   477
TWiki can automatically map an Intranet (Login) Username to a TWiki Username if the {AllowLoginName} is enabled in =configure=. The default is to use your WikiName as a login name.
colas@0
   478
d177 1
colas@0
   479
a177 1
colas@0
   480
   * For Template Login, update the {AuthScripts} list using =configure=
colas@0
   481
d186 1
colas@0
   482
a186 1
colas@0
   483
Firstly, the *most secure* method is without doubt to use the webserver authentication support, with Sessions turned *off*.
colas@0
   484
d188 1
colas@0
   485
a188 1
colas@0
   486
The *second most secure method* is to use TWiki's internal authentication with Sessions turned *off*. This method is less secure than using the webserver because passwords are sent in *plain text* and can therefore be intercepted in transit.
colas@0
   487
a193 2
colas@0
   488
The *third most secure* method is to use sessions with IP matching ({UseIPMatching} switched on). Shorter session expiry times are more secure ({Sessions}{ExpireAfter}). The default session lifetime is 6 hours, which is quite a long lifetime for a session.
colas@0
   489
colas@0
   490
d198 11
colas@0
   491
a208 1
colas@0
   492
If you have to turn IP matching off, and cookies can't be relied on, then you may have to rely on the second method, URL rewriting. This method exposes the session IDs very publicly, so should be regarded as the *least secure method*.
colas@0
   493
@
colas@0
   494
colas@0
   495
colas@0
   496
1.21
colas@0
   497
log
colas@0
   498
@buildrelease
colas@0
   499
@
colas@0
   500
text
colas@0
   501
@d1 1
colas@0
   502
a1 1
colas@0
   503
%META:TOPICINFO{author="TWikiContributor" date="1111929255" format="1.0" version="21"}%
colas@0
   504
d43 1
colas@0
   505
a43 1
colas@0
   506
---+++ No Login
colas@0
   507
d49 1
colas@0
   508
a49 1
colas@0
   509
---+++ Template Login
colas@0
   510
d55 1
colas@0
   511
a55 1
colas@0
   512
      1 enable the =TemplateLogin= login manager (on the Security Settings pane).
colas@0
   513
d58 1
colas@0
   514
a58 1
colas@0
   515
    <br /> %H% Check that the password manager recongises the new user. If you are using =.htpasswd= files, check that a new line with the username and encrypted password is added to the =.htpasswd= file. If not, you probably got a path wrong, or the permissions may not allow the webserver user to write to that file.
colas@0
   516
d71 1
colas@0
   517
a71 1
colas@0
   518
---+++ Apache Login
colas@0
   519
d83 2
colas@0
   520
d87 1
colas@0
   521
a87 1
colas@0
   522
   1 Use [[%SCRIPTURLPATH{"configure"}%#LoginManager][configure]] to select the =ApacheLogin= login manager.
colas@0
   523
d124 2
colas@0
   524
@
colas@0
   525
colas@0
   526
colas@0
   527
1.20
colas@0
   528
log
colas@0
   529
@buildrelease
colas@0
   530
@
colas@0
   531
text
colas@0
   532
@d1 1
colas@0
   533
a1 1
colas@0
   534
%META:TOPICINFO{author="TWikiContributor" date="1111929255" format="1.0" version="20"}%
colas@0
   535
d17 1
colas@0
   536
a17 1
colas@0
   537
	* You are %WIKIUSERNAME% 
colas@0
   538
d54 8
colas@0
   539
a61 8
colas@0
   540
	1 Use the [[%SCRIPTURLPATH{"configure"}%][ =configure= ]] interface to
colas@0
   541
		1 enable the =TemplateLogin= login manager (on the Security Settings pane).
colas@0
   542
		1 select the appropriate password manager for your system, or provide your own.
colas@0
   543
	1 Register yourself in the TWikiRegistration topic.
colas@0
   544
	 <br /> %H% Check that the password manager recongises the new user. If you are using =.htpasswd= files, check that a new line with the username and encrypted password is added to the =.htpasswd= file. If not, you probably got a path wrong, or the permissions may not allow the webserver user to write to that file.
colas@0
   545
	1 Create a new topic to check if authentication works.
colas@0
   546
	1 *Edit the %MAINWEB%.TWikiAdminGroup topic in the %MAINWEB% web to include users with system administrator status.*
colas@0
   547
	 <br /> %X% *This is a very important step*, as users in this group can access _all_ topics, independent of TWiki access controls.
colas@0
   548
d85 11
colas@0
   549
a95 11
colas@0
   550
	1 Use [[%SCRIPTURLPATH{"configure"}%#LoginManager][configure]] to select the =ApacheLogin= login manager.
colas@0
   551
	1 Use [[%SCRIPTURLPATH{"configure"}%#PasswordManager][configure]] to set up TWiki to create the right kind of =.htpasswd= entries.
colas@0
   552
	1 Create a =.htaccess= file in the =twiki/bin= directory.<br />%H% There is an template for this file in =twiki/bin/.htaccess.txt= that you can copy and change. The comments in the file explain what need to be done.<br />%H% If you got it right, the browser should now ask for login name and password when you click on the <u>Edit</u>. If =.htaccess= does not have the desired effect, you may need to "AllowOverride All" for the directory in =httpd.conf= (if you have root access; otherwise, e-mail web server support)
colas@0
   553
	 <br /> %X% At this time TWikiAccessControls do not control access to files in the =pub= area, unless they are only accessed through the =viewfile= script. If your =pub= directory is set up to allow open access you may want to add =.htaccess= files in there as well to restrict access 
colas@0
   554
	1 You can create a custom version of TWikiRegistration by deleting or adding input tags. The =name=""= parameter of the input tags must start with: ="Twk0..."= (if this is an optional entry), or ="Twk1..."= (if this is a required entry). This ensures that the fields are carried over into the user home page correctly.
colas@0
   555
	 <br />You can customize the default user home page in NewUserTemplate. The same variables get expanded as in the [[TWikiTemplates#Template_Topics][template topics]]
colas@0
   556
	1 Register yourself in the TWikiRegistration topic.
colas@0
   557
	 <br /> %H% Check that a new line with the username and encrypted password is added to the =.htpasswd= file. If not, you may have got a path wrong, or the permissions may not allow the webserver user to write to that file.
colas@0
   558
	1 Create a new topic to check if authentication works.
colas@0
   559
	1 *Edit the %MAINWEB%.TWikiAdminGroup topic in the %MAINWEB% web to include users with system administrator status.*
colas@0
   560
	 <br /> %X% *This is a very important step*, as users in this group can access _all_ topics, independent of TWiki access controls.
colas@0
   561
d134 1
colas@0
   562
a134 1
colas@0
   563
	* *Login Username:* When you login to the intranet, you use your existing login username, ex: ==pthoeny==. This name is normally passed to TWiki by the ==REMOTE_USER== environment variable, and used internally. Login Usernames are maintained by your system administrator.
colas@0
   564
d136 1
colas@0
   565
a136 1
colas@0
   566
	* *TWiki Username:* Your name in WikiNotation, ex: ==PeterThoeny==, is recorded when you register using TWikiRegistration; doing so also generates a personal home page in the %MAINWEB% web.
colas@0
   567
d150 2
colas@0
   568
a151 2
colas@0
   569
	* The ChangePassword form ( ==TWiki/ChangePassword== )
colas@0
   570
	* The ResetPassword form ( ==TWiki/ResetPassword== )
colas@0
   571
d158 1
colas@0
   572
a158 1
colas@0
   573
	* The ChangeEmailAddress form ( ==TWiki/ChangeEmailAddress== )
colas@0
   574
d163 2
colas@0
   575
a164 2
colas@0
   576
	* For Template Login, update the {AuthScripts} list using =configure=
colas@0
   577
	* For Apache Login, add/remove the script from =.htaccess=
colas@0
   578
@
colas@0
   579
colas@0
   580
colas@0
   581
1.19
colas@0
   582
log
colas@0
   583
@none
colas@0
   584
@
colas@0
   585
text
colas@0
   586
@d1 1
colas@0
   587
a1 1
colas@0
   588
%META:TOPICINFO{author="PeterThoeny" date="1092605344" format="1.0" version="1.19"}%
colas@0
   589
d8 1
colas@0
   590
a8 1
colas@0
   591
TWiki does not authenticate users internally, it depends on the =REMOTE_USER= environment variable. This variable is set when you enable Basic Authentication (.htaccess) or SSL "secure server" authentication (https protocol).
colas@0
   592
d10 1
colas@0
   593
a10 1
colas@0
   594
TWiki uses visitor identification to keep track of who made changes to topics at what time and to manage a wide range of personal site settings. This gives a complete audit trail of changes and activity.
colas@0
   595
d12 1
colas@0
   596
a12 1
colas@0
   597
---++ Authentication Options
colas@0
   598
d14 1
colas@0
   599
a14 22
colas@0
   600
No special installation steps are required if the server is already authenticated. If it isn't, you have these options for controlling user access:
colas@0
   601
	1. *No login at all:* Forget about authentication to make your site completely public - anyone can browse and edit freely, in classic Wiki mode. All visitors are assigned the %MAINWEB%.TWikiGuest default identity, so you can't track individual user activity.
colas@0
   602
		* *How:* Default, no web server configuration necessary
colas@0
   603
	1. *No login to view; require login to edit:* Keeping track of who changed what and when, while keeping view access unrestricted is desirable in most TWiki deployments. This option is not suitable if you need TWikiAccessControl for view restricted content since TWiki does not know who a user is when looking at content.
colas@0
   604
		* *How:* Use Basic Authentication to control access by protecting key scripts: =attach=, =edit=, =installpasswd=, =manage=, =preview=, =rename=, =save=, =upload=. The TWikiInstallationGuide has step-by-step instructions.
colas@0
   605
	1. *No login to view _unless necessary_; require login to edit:* You prefer not to bother the user with login for unrestricted content, but you need TWikiAccessControl for view restricted content. There are two ways to accomplish this:
colas@0
   606
		* *How 1:* Use Basic Authentication with Partial Authentication (described below)
colas@0
   607
		* *How 2:* Use one of the Session TWiki:Plugins where you give the user the option to login and logout.
colas@0
   608
	1. *Require login to view and edit:* Most restrictive, but TWiki knows who the user is at all times. There are two ways to accomplish this:
colas@0
   609
		* *How 1:* Use Basic Authentication to authenticate the whole =twiki/bin= directory. Consult your web server documentation.
colas@0
   610
		* *How 1:* Use SSL (Secure Sockets Layer; HTTPS) to authenticate and secure the whole server. Consult your web server documentation.
colas@0
   611
colas@0
   612
---+++ Partial Authentication
colas@0
   613
colas@0
   614
*Tracking by IP address* is an experimental feature, enabled in =lib/TWiki.cfg=. It lets you combine open access to some functions, with authentication on others, with full user activity tracking:
colas@0
   615
colas@0
   616
	* Normally, the ==REMOTE_USER== environment variable is set for the scripts that are under authentication. If, for example, the ==edit==, ==save== and ==preview== scripts are authenticated, but not ==view==, you would get your WikiName in ==preview== for the ==%<nop>WIKIUSERNAME%== variable, but ==view== will show ==TWikiGuest== instead of your <nop>WikiName.
colas@0
   617
	* TWiki can be configured to remember the IP address/username pair whenever an authentication happens (edit topic, attach file). Once remembered, the non-authenticated scripts, like ==view==, will show the correct username instead of %MAINWEB%.TWikiGuest.
colas@0
   618
	* Enable this feature by setting the ==$doRememberRemoteUser== flag in =TWiki.cfg=. TWiki then persistently stores the IP address/username pairs in the file, =$remoteUserFilename=, which is ="$dataDir/remoteusers.txt"= by default.
colas@0
   619
	* Copy the =view= script to =viewauth= (or better, create a symbolic link)
colas@0
   620
	* Add =viewauth= to the list of authenticated scripts in the =twiki/bin/.htaccess= file. The =view= script should not be listed in the =.htaccess= file.
colas@0
   621
	* %X% This approach can fail if the IP address changes due to dynamically assigned IP addresses or proxy servers. 
colas@0
   622
d17 65
colas@0
   623
d83 44
colas@0
   624
a126 1
colas@0
   625
	* You are %WIKIUSERNAME% 
colas@0
   626
d130 1
colas@0
   627
a130 1
colas@0
   628
This section applies only if your TWiki site is installed on a server that is both *authenticated* and on an *intranet*.
colas@0
   629
d132 1
colas@0
   630
a132 1
colas@0
   631
%WIKITOOLNAME% internally manages two usernames: Login Username and TWiki Username.
colas@0
   632
d138 1
colas@0
   633
a138 3
colas@0
   634
TWiki can automatically map an Intranet (Login) Username to a TWiki Username, provided that the username pair exists in the %MAINWEB%.%WIKIUSERSTOPIC% topic. This is also handled automatically when you register.
colas@0
   635
colas@0
   636
	* %X% In the original TWiki distribution, in ==twiki/data==, there are two registration form topics, TWikiRegistration and TWikiRegistrationPub. The original form includes an intranet Login Username field. For Basic Authentication, the original form is replaced by the Pub version. If you started using TWiki on Basic Authentication and want to change, you have to switch back forms for future use, and manually correct the existing entries, by editing %MAINWEB%.%WIKIUSERSTOPIC%, adding the Login Username for each member - =PeterThoeny - pthoeny - 01 Jan 1999= -  and also in the ==.htpasswd== file, where you can either replace the WikiNames or duplicate the entries and have both, so both usernames will work. 
colas@0
   637
d141 2
colas@0
   638
a142 3
colas@0
   639
__NOTE:__ *To correctly enter a WikiName* - your own or someone else's - be sure to include the %MAINWEB% web name in front of the Wiki username, followed by a period, and no spaces. Ex:
colas@0
   640
<div align="center"> ==%MAINWEB%.<nop>WikiUsername== or ==%<nop>MAINWEB%.<nop>WikiUsername== </div>
colas@0
   641
This points ==<nop>WikiUser== to the %WIKITOOLNAME%.%MAINWEB% web, where user registration pages are stored, no matter which web it's entered in. Without the web prefix, the name appears as a NewTopic everywhere but in the %MAINWEB% web.
colas@0
   642
d148 21
colas@0
   643
a168 1
colas@0
   644
Change and reset passwords using forms on regular pages. Use TWikiAccessControl to restrict use as required.
colas@0
   645
d170 1
colas@0
   646
a170 1
colas@0
   647
	* The ChangePassword form ( ==TWiki/ChangePassword== ):
colas@0
   648
d172 7
colas@0
   649
a178 3
colas@0
   650
<blockquote style="background-color:#f5f5f5">
colas@0
   651
%INCLUDE{"ChangePassword"}%
colas@0
   652
</blockquote>
colas@0
   653
d180 1
colas@0
   654
a180 1
colas@0
   655
	* The ResetPassword form ( ==TWiki/ResetPassword== ):
colas@0
   656
d182 1
colas@0
   657
a182 3
colas@0
   658
<blockquote style="background-color:#f5f5f5">
colas@0
   659
%INCLUDE{"ResetPassword"}%
colas@0
   660
</blockquote>
colas@0
   661
d184 1
colas@0
   662
a184 2
colas@0
   663
-- TWiki:Main.MikeMannix - 19 May 2002 %BR%
colas@0
   664
-- TWiki:Main.PeterThoeny - 25 Apr 2004
colas@0
   665
d186 1
colas@0
   666
a186 1
colas@0
   667
%STOPINCLUDE%
colas@0
   668
d188 1
colas@0
   669
d190 2
colas@0
   670
d193 1
colas@0
   671
a193 1
colas@0
   672
%META:TOPICMOVED{by="MikeMannix" date="999320061" from="TWiki.TWikiAuthentication" to="TWiki.TWikiUserAuthentication"}%
colas@0
   673
@
colas@0
   674
colas@0
   675
colas@0
   676
1.18
colas@0
   677
log
colas@0
   678
@none
colas@0
   679
@
colas@0
   680
text
colas@0
   681
@d1 1
colas@0
   682
a1 1
colas@0
   683
%META:TOPICINFO{author="PeterThoeny" date="1082877324" format="1.0" version="1.18"}%
colas@0
   684
d18 1
colas@0
   685
a18 1
colas@0
   686
		* *How:* Use Basic Authentication (=.htaccess=) to control access by protecting key scripts: =attach=, =edit=, =installpasswd=, =manage=, =preview=, =rename=, =save=, =upload= using the ==.htaccess file==. The TWikiInstallationGuide has step-by-step instructions.
colas@0
   687
d78 2
colas@0
   688
a79 2
colas@0
   689
-- TWiki.Main.MikeMannix - 19 May 2002 %BR%
colas@0
   690
-- TWiki.Main.PeterThoeny - 25 Apr 2004
colas@0
   691
@
colas@0
   692
colas@0
   693
colas@0
   694
1.17
colas@0
   695
log
colas@0
   696
@none
colas@0
   697
@
colas@0
   698
text
colas@0
   699
@d1 84
colas@0
   700
a84 83
colas@0
   701
%META:TOPICINFO{author="PeterThoeny" date="1054178925" format="1.0" version="1.17"}%
colas@0
   702
%TOC%
colas@0
   703
%STARTINCLUDE%
colas@0
   704
---# TWiki User Authentication
colas@0
   705
colas@0
   706
_TWiki site access control and user activity tracking options_
colas@0
   707
colas@0
   708
TWiki does not authenticate users internally, it depends on the =REMOTE_USER= environment variable. This variable is set when you enable Basic Authentication (.htaccess) or SSL "secure server" authentication (https protocol).
colas@0
   709
colas@0
   710
TWiki uses visitor identification to keep track of who made changes to topics at what time and to manage a wide range of personal site settings. This gives a complete audit trail of changes and activity.
colas@0
   711
colas@0
   712
---++ Authentication Options
colas@0
   713
colas@0
   714
No special installation steps are required if the server is already authenticated. If it isn't, you have these options for controlling user access:
colas@0
   715
	1. *No login at all:* Forget about authentication to make your site completely public - anyone can browse and edit freely, in classic Wiki mode. All visitors are assigned the %MAINWEB%.TWikiGuest default identity, so you can't track individual user activity.
colas@0
   716
		* *How:* Default, no web server configuration necessary
colas@0
   717
	1. *No login to view; require login to edit:* Keeping track of who changed what and when, while keeping view access unrestricted is desirable in most TWiki deployments. This option is not suitable if you need TWikiAccessControl for view restricted content since TWiki does not know who a user is when looking at content.
colas@0
   718
		* *How:* Use Basic Authentication (=.htaccess=) to control access by protecting key scripts: =attach=, =edit=, =installpasswd=, =manage=, =preview=, =rename=, =save=, =upload= using the ==.htaccess file==. The TWikiInstallationGuide has step-by-step instructions.
colas@0
   719
	1. *No login to view _unless necessary_; require login to edit:* You prefer not to bother the user with login for unrestricted content, but you need TWikiAccessControl for view restricted content. There are two ways to accomplish this:
colas@0
   720
		* *How 1:* Use Basic Authentication with Partial Authentication (described below)
colas@0
   721
		* *How 2:* Use one of the Session TWiki:Plugins where you give the user the option to login and logout.
colas@0
   722
	1. *Require login to view and edit:* Most restrictive, but TWiki knows who the user is at all times. There are two ways to accomplish this:
colas@0
   723
		* *How 1:* Use Basic Authentication to authenticate the whole =twiki/bin= directory. Consult your web server documentation.
colas@0
   724
		* *How 1:* Use SSL (Secure Sockets Layer; HTTPS) to authenticate and secure the whole server. Consult your web server documentation.
colas@0
   725
colas@0
   726
---+++ Partial Authentication
colas@0
   727
colas@0
   728
*Tracking by IP address* is an experimental feature, enabled in =lib/TWiki.cfg=. It lets you combine open access to some functions, with authentication on others, with full user activity tracking:
colas@0
   729
colas@0
   730
	* Normally, the ==REMOTE_USER== environment variable is set for the scripts that are under authentication. If, for example, the ==edit==, ==save== and ==preview== scripts are authenticated, but not ==view==, you would get your WikiName in ==preview== for the ==%<nop>WIKIUSERNAME%== variable, but ==view== will show ==TWikiGuest== instead of your <nop>WikiName.
colas@0
   731
	* TWiki can be configured to remember the IP address/username pair whenever an authentication happens (edit topic, attach file). Once remembered, the non-authenticated scripts, like ==view==, will show the correct username instead of %MAINWEB%.TWikiGuest.
colas@0
   732
	* Enable this feature by setting the ==$doRememberRemoteUser== flag in =TWiki.cfg=. TWiki then persistently stores the IP address/username pairs in the file, =$remoteUserFilename=, which is ="$dataDir/remoteusers.txt"= by default.
colas@0
   733
	* Copy the =view= script to =viewauth= (or better, create a symbolic link)
colas@0
   734
	* Add =viewauth= to the list of authenticated scripts in the =twiki/bin/.htaccess= file. The =view= script should not be listed in the =.htaccess= file.
colas@0
   735
	* %X% This approach can fail if the IP address changes due to dynamically assigned IP addresses or proxy servers. 
colas@0
   736
colas@0
   737
*Quick Authentication Test* - Use the %<nop>WIKIUSERNAME% variable to return your current identity:
colas@0
   738
colas@0
   739
	* You are %WIKIUSERNAME% 
colas@0
   740
colas@0
   741
---++ TWiki Username vs. Login Username
colas@0
   742
colas@0
   743
This section applies only if your TWiki site is installed on a server that is both *authenticated* and on an *intranet*.
colas@0
   744
colas@0
   745
%WIKITOOLNAME% internally manages two usernames: Login Username and TWiki Username.
colas@0
   746
colas@0
   747
	* *Login Username:* When you login to the intranet, you use your existing login username, ex: ==pthoeny==. This name is normally passed to TWiki by the ==REMOTE_USER== environment variable, and used internally. Login Usernames are maintained by your system administrator.
colas@0
   748
colas@0
   749
	* *TWiki Username:* Your name in WikiNotation, ex: ==PeterThoeny==, is recorded when you register using TWikiRegistration; doing so also generates a personal home page in the %MAINWEB% web.
colas@0
   750
colas@0
   751
TWiki can automatically map an Intranet (Login) Username to a TWiki Username, provided that the username pair exists in the %MAINWEB%.%WIKIUSERSTOPIC% topic. This is also handled automatically when you register.
colas@0
   752
colas@0
   753
	* %X% In the original TWiki distribution, in ==twiki/data==, there are two registration form topics, TWikiRegistration and TWikiRegistrationPub. The original form includes an intranet Login Username field. For Basic Authentication, the original form is replaced by the Pub version. If you started using TWiki on Basic Authentication and want to change, you have to switch back forms for future use, and manually correct the existing entries, by editing %MAINWEB%.%WIKIUSERSTOPIC%, adding the Login Username for each member - =PeterThoeny - pthoeny - 01 Jan 1999= -  and also in the ==.htpasswd== file, where you can either replace the WikiNames or duplicate the entries and have both, so both usernames will work. __verification and clearer rewrite to follow in a bit. also link to original installation mention.__
colas@0
   754
colas@0
   755
<blockquote>
colas@0
   756
__NOTE:__ *To correctly enter a WikiName* - your own or someone else's - be sure to include the %MAINWEB% web name in front of the Wiki username, followed by a period, and no spaces. Ex:
colas@0
   757
<div align="center"> ==%MAINWEB%.<nop>WikiUsername== or ==%<nop>MAINWEB%.<nop>WikiUsername== </div>
colas@0
   758
This points ==<nop>WikiUser== to the %WIKITOOLNAME%.%MAINWEB% web, where user registration pages are stored, no matter which web it's entered in. Without the web prefix, the name appears as a NewTopic everywhere but in the %MAINWEB% web.
colas@0
   759
</blockquote>
colas@0
   760
colas@0
   761
#ChangingPasswords
colas@0
   762
---++ Changing Passwords
colas@0
   763
colas@0
   764
Change and reset passwords using forms on regular pages. Use TWikiAccessControl to restrict use as required.
colas@0
   765
colas@0
   766
	* The ChangePassword form ( ==TWiki/ChangePassword== ):
colas@0
   767
colas@0
   768
<blockquote style="background-color:#f5f5f5">
colas@0
   769
%INCLUDE{"ChangePassword"}%
colas@0
   770
</blockquote>
colas@0
   771
colas@0
   772
	* The ResetPassword form ( ==TWiki/ResetPassword== ):
colas@0
   773
colas@0
   774
<blockquote style="background-color:#f5f5f5">
colas@0
   775
%INCLUDE{"ResetPassword"}%
colas@0
   776
</blockquote>
colas@0
   777
colas@0
   778
-- Main.MikeMannix - 19 May 2002
colas@0
   779
colas@0
   780
%STOPINCLUDE%
colas@0
   781
colas@0
   782
colas@0
   783
colas@0
   784
@
colas@0
   785
colas@0
   786
colas@0
   787
1.16
colas@0
   788
log
colas@0
   789
@none
colas@0
   790
@
colas@0
   791
text
colas@0
   792
@d1 1
colas@0
   793
a1 1
colas@0
   794
%META:TOPICINFO{author="PeterThoeny" date="1050303329" format="1.0" version="1.16"}%
colas@0
   795
a30 1
colas@0
   796
colas@0
   797
a31 1
colas@0
   798
colas@0
   799
d33 2
colas@0
   800
a34 1
colas@0
   801
colas@0
   802
@
colas@0
   803
colas@0
   804
colas@0
   805
1.15
colas@0
   806
log
colas@0
   807
@none
colas@0
   808
@
colas@0
   809
text
colas@0
   810
@d1 1
colas@0
   811
a1 1
colas@0
   812
%META:TOPICINFO{author="PeterThoeny" date="1041127470" format="1.0" version="1.15"}%
colas@0
   813
d14 11
colas@0
   814
a24 4
colas@0
   815
No special installation steps are required if the server is already authenticated. If it isn't, you have three standard options for controlling user access:
colas@0
   816
	1. *Forget about authentication* to make your site completely public - anyone can browse and edit freely, in classic Wiki mode. All visitors are assigned the %MAINWEB%.TWikiGuest default identity, so you can't track individual user activity. <br />
colas@0
   817
	1. *Use SSL (Secure Sockets Layer; HTTPS)* to authenticate and secure the whole server. <br />
colas@0
   818
	1. *Use Basic Authentication (.htaccess)* to control access by protecting key scripts: =attach=, =edit==, =installpasswd=, =preview=, =rename=, =save=, =upload= using the ==.htaccess file==. The TWikiInstallationGuide has step-by-step instructions. 
colas@0
   819
@
colas@0
   820
colas@0
   821
colas@0
   822
1.14
colas@0
   823
log
colas@0
   824
@none
colas@0
   825
@
colas@0
   826
text
colas@0
   827
@d1 1
colas@0
   828
a1 1
colas@0
   829
%META:TOPICINFO{author="MikeMannix" date="1021820542" format="1.0" version="1.14"}%
colas@0
   830
d47 1
colas@0
   831
a47 1
colas@0
   832
	* %X% In the original TWiki distribution, in ==twiki/data==, there are two registration form topics, TWikiRegistration and TWikiRegistrationPub. The original form includes an intranet Login Username field. For Basic Authentication, the original form is replaced by the Pub version. If you started using TWiki on Basic Authentication and want to change, you have to switch back forms for future use, and manually correct the existing entries, by editing TWikiUsers, adding the Login Username for each member - =PeterThoeny - pthoeny - 01 Jan 1999= -  and also in the ==.htpasswd== file, where you can either replace the WikiNames or duplicate the entries and have both, so both usernames will work. __verification and clearer rewrite to follow in a bit. also link to original installation mention.__
colas@0
   833
@
colas@0
   834
colas@0
   835
colas@0
   836
1.13
colas@0
   837
log
colas@0
   838
@none
colas@0
   839
@
colas@0
   840
text
colas@0
   841
@d1 1
colas@0
   842
a1 1
colas@0
   843
%META:TOPICINFO{author="MikeMannix" date="1000545481" format="1.0" version="1.13"}%
colas@0
   844
d6 1
colas@0
   845
a6 3
colas@0
   846
_TWiki site access control and user activity tracking_
colas@0
   847
colas@0
   848
---++ Overview
colas@0
   849
d15 3
colas@0
   850
a17 3
colas@0
   851
	1. *Forget about authentication* to make your site completely public - anyone can browse and edit freely, in classic Wiki mode. All visitors are assigned the %MAINWEB%.TWikiGuest default identity, so you can't track individual user activity. <br>
colas@0
   852
	1. *Use SSL* (Secure Sockets Layer; HTTPS) to authenticate and secure the whole server. <br>
colas@0
   853
	1. *Use Basic Authentication (.htaccess)* to control access by protecting key scripts: =attach=, =edit==, =installpasswd=, =preview=, =rename=, =save=, =upload= using the .htaccess file. The TWikiInstallationGuide has step-by-step instructions. 
colas@0
   854
d29 1
colas@0
   855
a29 1
colas@0
   856
	* __NOTE:__ This approach can fail if the IP address changes due to dynamically assigned IP addresses or proxy servers. 
colas@0
   857
d37 3
colas@0
   858
a39 1
colas@0
   859
This section applies only if your %WIKITOOLNAME% is installed on a server that is both *authenticated* and on an *intranet*.
colas@0
   860
d41 1
colas@0
   861
a41 1
colas@0
   862
%WIKITOOLNAME% internally manages two usernames: Login username and TWiki username.
colas@0
   863
d43 1
colas@0
   864
a43 1
colas@0
   865
	* *Login username:* When you login to the intranet, you use your existing login username, ex: ==pthoeny==. This name is normally passed to %WIKITOOLNAME% by the ==REMOTE_USER== environment variable, and used by internally by %WIKITOOLNAME%. Login usernames are maintained by your system administrator.
colas@0
   866
d45 1
colas@0
   867
a45 1
colas@0
   868
	* *TWiki username:* Your name in WikiNotation, ex: ==PeterThoeny==, is recorded when you register using TWikiRegistration; doing so also generates a personal home page in the %MAINWEB% web.
colas@0
   869
d47 1
colas@0
   870
a47 1
colas@0
   871
%WIKITOOLNAME% can automatically map an intranet username to a TWiki username, provided that the username pair exists in the %MAINWEB%.%WIKIUSERSTOPIC% topic. This is also handled automatically when you register.
colas@0
   872
d72 5
colas@0
   873
a77 1
colas@0
   874
-- MikeMannix - 29 Aug 2001 
colas@0
   875
@
colas@0
   876
colas@0
   877
colas@0
   878
1.12
colas@0
   879
log
colas@0
   880
@none
colas@0
   881
@
colas@0
   882
text
colas@0
   883
@d1 1
colas@0
   884
a1 3
colas@0
   885
%META:TOPICINFO{author="PeterThoeny" date="1000454534" format="1.0" version="1.12"}%
colas@0
   886
%INCLUDE{"UtilTempDocNote"}%
colas@0
   887
colas@0
   888
d10 1
colas@0
   889
a10 1
colas@0
   890
TWiki does not authenticate users internally, it depends on the ==REMOTE_USER== environment variable. This variable is set when you enable Basic Authentication (.htaccess) or SSL "secure server" authentication (https protocol).
colas@0
   891
d16 1
colas@0
   892
a16 1
colas@0
   893
No special installation steps need to be performed if the server is already authenticated. If not, you have three standard options for controlling user access:
colas@0
   894
d62 1
colas@0
   895
a62 1
colas@0
   896
<blockquote style="background-color:#f0f0f0">
colas@0
   897
d68 1
colas@0
   898
a68 1
colas@0
   899
<blockquote style="background-color:#f0f0f0">
colas@0
   900
@
colas@0
   901
colas@0
   902
colas@0
   903
1.11
colas@0
   904
log
colas@0
   905
@none
colas@0
   906
@
colas@0
   907
text
colas@0
   908
@d1 1
colas@0
   909
a1 1
colas@0
   910
%META:TOPICINFO{author="MikeMannix" date="1000280080" format="1.0" version="1.11"}%
colas@0
   911
d21 1
colas@0
   912
a21 1
colas@0
   913
	1. *Use Basic Authentication (HTAccess)* to control access by protecting key scripts: =attach=, =edit==, =installpasswd=, =password=, =preview=, =rename=, =save=, =upload=, =view=, =viewfile= using .htaccess files. The [[TWikiDocumentation#TWiki_Installation_Notes][TWiki Installation Guide]] has step-by-step instructions. 
colas@0
   914
@
colas@0
   915
colas@0
   916
colas@0
   917
1.10
colas@0
   918
log
colas@0
   919
@none
colas@0
   920
@
colas@0
   921
text
colas@0
   922
@d1 3
colas@0
   923
a3 1
colas@0
   924
%META:TOPICINFO{author="MikeMannix" date="999857118" format="1.0" version="1.10"}%
colas@0
   925
@
colas@0
   926
colas@0
   927
colas@0
   928
1.9
colas@0
   929
log
colas@0
   930
@none
colas@0
   931
@
colas@0
   932
text
colas@0
   933
@d1 1
colas@0
   934
a1 1
colas@0
   935
%META:TOPICINFO{author="MikeMannix" date="999811937" format="1.0" version="1.9"}%
colas@0
   936
d4 1
colas@0
   937
a4 1
colas@0
   938
---## TWiki User Authentication
colas@0
   939
d8 1
colas@0
   940
a8 1
colas@0
   941
---+++ Overview
colas@0
   942
d14 1
colas@0
   943
a14 1
colas@0
   944
---+++ Authentication Options
colas@0
   945
d21 1
colas@0
   946
a21 1
colas@0
   947
---++++ Partial Authentication
colas@0
   948
d37 1
colas@0
   949
a37 1
colas@0
   950
---+++ TWiki Username vs. Login Username
colas@0
   951
d56 1
colas@0
   952
a56 1
colas@0
   953
---+++ Changing Passwords
colas@0
   954
a72 1
colas@0
   955
-- PeterThoeny - 16 Mar 2001 <br>
colas@0
   956
a73 1
colas@0
   957
colas@0
   958
@
colas@0
   959
colas@0
   960
colas@0
   961
1.8
colas@0
   962
log
colas@0
   963
@none
colas@0
   964
@
colas@0
   965
text
colas@0
   966
@d1 1
colas@0
   967
a1 1
colas@0
   968
%META:TOPICINFO{author="MikeMannix" date="999755787" format="1.0" version="1.8"}%
colas@0
   969
d16 4
colas@0
   970
a19 4
colas@0
   971
No special installation steps need to be performed if the server is already authenticated. If not, you have three remaining options to controlling user access:
colas@0
   972
	1. *Forget about authentication.* All changes are registered to %MAINWEB%.TWikiGuest user, so you can't tell who made changes. Your site is completely open and public - anyone can browse and edit freely, in classic Wiki mode.<br>
colas@0
   973
	1. *Use Basic Authentication* for the ==edit== and ==attach== scripts. This uses .htaccess and generates the familiar grey log-in window. The [[TWikiDocumentation#TWiki_Installation_Notes][TWiki Installation Guide]] has step-by-step instructions.<br>
colas@0
   974
	1. *Use SSL* to authenticate and secure the whole server. 
colas@0
   975
d21 1
colas@0
   976
a21 1
colas@0
   977
---+++ Tracking by IP Address
colas@0
   978
d23 1
colas@0
   979
a23 1
colas@0
   980
The ==REMOTE_USER== environment variable is only set for the scripts that are under authentication. If, for example, the ==edit==, ==save== and ==preview== scripts are authenticated, but not ==view==, you would get your WikiName in ==preview== for the ==%<nop>WIKIUSERNAME%== variable, but ==view== will show ==TWikiGuest== instead of your <nop>WikiName.
colas@0
   981
d25 1
colas@0
   982
a25 1
colas@0
   983
There is a way to tell TWiki to remember the user for the scripts that are not authenticated, ex: in case the ==REMOTE_USER== environment variable is not set. TWiki can be configured to remember the IP address/username pair whenever an authentication happens (edit topic, attach file). Once remembered, the non-authenticated scripts like ==view== will show the correct username instead of ==TWikiGuest==. You can enable this by setting the ==$doRememberRemoteUser== flag in ==TWiki.cfg==. TWiki persistently stores the IP address/username pairs in the file ==$remoteUserFilename==, which is =="$dataDir/remoteusers.txt"== by default. Please note that this can fail if the IP address changes due to dynamically assigned IP addresses or proxy servers. 
colas@0
   984
d27 9
colas@0
   985
a35 1
colas@0
   986
*Authentication Test:* You are %WIKIUSERNAME% (%<nop>WIKIUSERNAME%)
colas@0
   987
d44 1
colas@0
   988
d50 1
colas@0
   989
a50 1
colas@0
   990
*NOTE:* *To correctly enter a WikiName* - your own or someone else's - be sure to include the %MAINWEB% web name in front of the Wiki username, followed by a period, and no spaces. Ex:
colas@0
   991
d58 1
colas@0
   992
a58 1
colas@0
   993
Change and reset passwords using forms on regular pages. Use topic-level TWikiAccessControl to restrict use as required.
colas@0
   994
d60 1
colas@0
   995
a60 1
colas@0
   996
	* The ChangePassword form, ==TWiki/ChangePassword==:
colas@0
   997
d66 1
colas@0
   998
a66 1
colas@0
   999
	* The ResetPassword form ==TWiki/ResetPassword==:
colas@0
  1000
@
colas@0
  1001
colas@0
  1002
colas@0
  1003
1.7
colas@0
  1004
log
colas@0
  1005
@none
colas@0
  1006
@
colas@0
  1007
text
colas@0
  1008
@d1 1
colas@0
  1009
a1 1
colas@0
  1010
%META:TOPICINFO{author="MikeMannix" date="999567701" format="1.0" version="1.7"}%
colas@0
  1011
d6 1
colas@0
  1012
a6 1
colas@0
  1013
Controlling TWiki site access and logging authorized user activity
colas@0
  1014
d17 3
colas@0
  1015
a19 3
colas@0
  1016
	1 *Forget about authentication.* All changes are registered to %MAINWEB%.TWikiGuest user, so you can't tell who made changes. Your site is completely open and public - anyone can browse and edit freely, in classic Wiki mode.<br>
colas@0
  1017
	1 *Use Basic Authentication* for the ==edit== and ==attach== scripts. This uses .htaccess and generates the familiar grey log-in window. The [[TWikiDocumentation#TWiki_Installation_Notes][TWiki Installation Guide]] has step-by-step instructions.<br>
colas@0
  1018
	1 *Use SSL* to authenticate and secure the whole server. 
colas@0
  1019
d46 1
colas@0
  1020
d49 5
colas@0
  1021
d55 1
colas@0
  1022
d57 3
colas@0
  1023
d61 2
colas@0
  1024
@
colas@0
  1025
colas@0
  1026
colas@0
  1027
1.6
colas@0
  1028
log
colas@0
  1029
@none
colas@0
  1030
@
colas@0
  1031
text
colas@0
  1032
@d1 1
colas@0
  1033
a1 1
colas@0
  1034
%META:TOPICINFO{author="MikeMannix" date="999502042" format="1.0" version="1.6"}%
colas@0
  1035
d48 3
colas@0
  1036
a50 1
colas@0
  1037
%INCLUDE{"ChangingPasswords"}%
colas@0
  1038
@
colas@0
  1039
colas@0
  1040
colas@0
  1041
1.5
colas@0
  1042
log
colas@0
  1043
@none
colas@0
  1044
@
colas@0
  1045
text
colas@0
  1046
@d1 1
colas@0
  1047
a1 1
colas@0
  1048
%META:TOPICINFO{author="MikeMannix" date="999408728" format="1.0" version="1.5"}%
colas@0
  1049
d45 4
colas@0
  1050
@
colas@0
  1051
colas@0
  1052
colas@0
  1053
1.4
colas@0
  1054
log
colas@0
  1055
@none
colas@0
  1056
@
colas@0
  1057
text
colas@0
  1058
@d1 1
colas@0
  1059
a1 1
colas@0
  1060
%META:TOPICINFO{author="MikeMannix" date="999320253" format="1.0" version="1.4"}%
colas@0
  1061
d6 5
colas@0
  1062
a10 1
colas@0
  1063
TWiki does not authenticate users internally, it depends on the ==REMOTE_USER== environment variable. This variable is set when you enable basic authentication or authentication via SSL (https protocol).
colas@0
  1064
d17 2
colas@0
  1065
a18 2
colas@0
  1066
	1 *Forget about authentication.* All changes are registered to %MAINWEB%.TWikiGuest user, so you can't tell who made changes. Your site is completely open and public.
colas@0
  1067
	1 *Use Basic Authentication* for the ==edit== and ==attach== scripts. This uses .htaccess and generates the familiar grey log-in window. [[TWikiDocumentation#TWiki_Installation_Notes][TWiki Installation Notes]] has more.
colas@0
  1068
d25 1
colas@0
  1069
a25 1
colas@0
  1070
There is a way to tell TWiki to remember the user for the scripts that are not authenticated, ex: in case the ==REMOTE_USER== environment variable is not set. TWiki can be configured to remember the IP address/username pair whenever an authentication happens (edit topic, attach file). Once remembered, the non-authenticated scripts like ==view== will show the correct username instead of ==TWikiGuest==. You can enable this by setting the ==$doRememberRemoteUser== flag in ==TWiki.cfg==. TWiki persistently stores the IP address / username pairs in file ==$remoteUserFilename==, which is =="$dataDir/remoteusers.txt"== by default. Please note that this can fail if the IP address changes due to dynamically assigned IP addresses or proxy servers. 
colas@0
  1071
d41 1
colas@0
  1072
a41 1
colas@0
  1073
__NOTE:__ *To correctly enter a WikiName* - your own or someone else's - be sure to include the %MAINWEB% web name in front of the Wiki username, followed by a period, and no spaces. Ex:
colas@0
  1074
@
colas@0
  1075
colas@0
  1076
colas@0
  1077
1.3
colas@0
  1078
log
colas@0
  1079
@none
colas@0
  1080
@
colas@0
  1081
text
colas@0
  1082
@d1 1
colas@0
  1083
a1 1
colas@0
  1084
%META:TOPICINFO{author="MikeMannix" date="999098621" format="1.0" version="1.3"}%
colas@0
  1085
d4 1
colas@0
  1086
a4 1
colas@0
  1087
---## TWiki Authentication
colas@0
  1088
d43 3
colas@0
  1089
a45 1
colas@0
  1090
-- MikeMannix - 29 Aug 2001 
colas@0
  1091
@
colas@0
  1092
colas@0
  1093
colas@0
  1094
1.2
colas@0
  1095
log
colas@0
  1096
@none
colas@0
  1097
@
colas@0
  1098
text
colas@0
  1099
@d1 3
colas@0
  1100
d6 1
colas@0
  1101
a6 1
colas@0
  1102
TWiki does not authenticate users internally, it depends on the ==REMOTE_USER== environment variable. This variable is set when you enable basic authentication or authentication via SSL (https protocol)
colas@0
  1103
d8 1
colas@0
  1104
a8 1
colas@0
  1105
TWiki keeps track who made changes to topics at what time. This gives a complete audit trail of changes.
colas@0
  1106
d10 1
colas@0
  1107
a10 4
colas@0
  1108
No special installation steps need to be performed in case the server is already autenticated. If not you can opt for one of these:
colas@0
  1109
	* Forget about authentication. All changes will be registered as %MAINWEB%.TWikiGuest user, e.g. you can't tell who made changes.
colas@0
  1110
	* Use basic authentication for the ==edit== and ==attach== scripts. [[TWikiDocumentation#TWiki_Installation_Notes][TWiki Installation Notes]] tells you more about that.
colas@0
  1111
	* Use SSL to authenticate and secure the whole server.
colas@0
  1112
d12 4
colas@0
  1113
a15 1
colas@0
  1114
The ==REMOTE_USER== environment variable is only set for the scripts that are under authentication. If for example the ==edit==, ==save== and ==preview== scripts are authenticated, but not ==view==, you would get your WikiName in ==preview== for the ==%<nop>WIKIUSERNAME%== variable, but ==view== will show ==TWikiGuest== instead of your <nop>WikiName.
colas@0
  1115
d17 1
colas@0
  1116
a17 1
colas@0
  1117
There is a way to tell TWiki to remember the user for the scripts that are not authenticated, e.g. for the case where the ==REMOTE_USER== environment variable is not set. TWiki can be configured to remember the IP address / username pair whenever an authentication happens (edit topic, attach file). Once remembered, the non authenticated scripts like ==view== will show the correct username instead of ==TWikiGuest==. You can enable this by setting the ==$doRememberRemoteUser== flag in ==TWiki.cfg==. TWiki persistently stores the IP address / username pairs in file ==$remoteUserFilename==, which is =="$dataDir/remoteusers.txt"== by default. Please note that this can fail in case the IP address changes due to dynamically assigned IP addresses or proxy servers. 
colas@0
  1118
d19 22
colas@0
  1119
a40 1
colas@0
  1120
Test: You are %WIKIUSERNAME%.
colas@0
  1121
d43 1
colas@0
  1122
@
colas@0
  1123
colas@0
  1124
colas@0
  1125
1.1
colas@0
  1126
log
colas@0
  1127
@none
colas@0
  1128
@
colas@0
  1129
text
colas@0
  1130
@d1 3
colas@0
  1131
a3 1
colas@0
  1132
TWiki does not authenticate users internally, it depends on the =REMOTE_USER= environment variable. This variable is set when you enable basic authentication or authentication via SSL (https protocol)
colas@0
  1133
d9 1
colas@0
  1134
a9 1
colas@0
  1135
	* Use basic authentication for the =edit= and =attach= scripts. <a href="TWikiDocumentation#installation">TWiki Installation</a> tells you more about that.
colas@0
  1136
d12 3
colas@0
  1137
a14 1
colas@0
  1138
The =REMOTE_USER= environment variable is only set for the scripts that are under authentication. If for example the =edit=, =save= and =preview= scripts are authenticated, but not =view=, you would get your WikiName in =preview= for the =%<nop>WIKIUSERNAME%= variable, but =view= will show =TWikiGuest= instead of your <nop>WikiName.
colas@0
  1139
d16 1
colas@0
  1140
a16 1
colas@0
  1141
There is a way to tell TWiki to remember the user for the scripts that are not authenticated, e.g. for the case where the =REMOTE_USER= environment variable is not set. TWiki can be configured to remember the IP address / username pair whenever an authentication happens (edit topic, attach file). Once remembered, the non authenticated scripts like =view= will show the correct username instead of =TWikiGuest=. You can enable this by setting the =$doRememberRemoteUser= flag in =wikicfg.pm=. TWiki persistently stores the IP address / username pairs in file =$remoteUserFilename=, which is ="$dataDir/remoteusers.txt"= by default. Please note that this can fail in case the IP address changes due to dynamically assigned IP addresses or proxy servers. Test: You are %WIKIUSERNAME%.
colas@0
  1142
d18 1
colas@0
  1143
a18 1
colas@0
  1144
-- Main.PeterThoeny - 02 Nov 2000 <br>
colas@0
  1145
@