MediaWiki: HttpAuth Plugin
January 29th, 2007 by oremj
Using MediaWiki behind http authetication was always slightly annoying in the past. One would have to:
- Login with their htpasswd credentials
- Create account if it did not exist already
- Login with their wiki credentials
- Remember both sets of credentials
This extension reduces the previous four steps into one simple step.
- Login with htpasswd credentials
The extension can be downloaded at http://people.mozilla.com/~oremj/HttpAuthPlugin.php and setup instructions at MediaWiki.
Hi Jeremiah,
I’m having some trouble using your HttpAuthPlugin on the latest version of MediaWiki. I get logged in with no issue, but when I try to edit a page it fails silently on submit.
I’m using MediaWiki 1.9.3. No error messages are logged anywhere that I can find, the page that I’m editing simply doesn’t change.
Any idea what this might be?
Thanks!
-Ben
Hi Ben,
I had troubles with the plugin in 1.9.3, too. Htaccess logged in fine, but in mediawiki I was not logged in. So I replaced all PHP_AUTH_USER with REMOTE_USER in HttpAuthPlugin.php and LocalSettings.php. Now everthing works fine.
Best regards,
Korbinian
There is a security hole in the extension.
Function autoAuthenticate() should ensure the username loaded from session matches the username that was used for HTTP authentication.
If it doesn’t, a user can get an account that would belong to an other previously authenticated user, because some browsers can clear HTTP authentication data without clearing the cookies.
Hi,
This plugin will be more flexible, if it also check for REMOTE_USER variable (when PHP_AUTH_USER doesn’t exist), so that it will also work when running php as cgi.
Just a wishlist to improve the plugin capability
Hello Jeremiah,
I’m using MediaWiki 1.11.0rc1 on Centos5.0, I had to add a ‘return 0′ at the end of the autoAuthenticate function in your module. I’m using xradius to do the http auth, everything seem to function correctly.
What Michael said above I added “return true;” as the last line of authAuthenticate. It looks like, if it falls through that far, it means we have authentication.
Hi Jeremiah,
Looks like PHP functionality was added to http://people.mozilla.com.
HttpAuthPlugin.php no longer can be downloaded, returned page is blank.
Could you rename plugin extension to ‘txt’ or ‘phps’. That should make your script available again.
Looking forward to using it.
Thanks
Thanks for the heads up. You should be able to download it now.
Hi oremj,
your HTTPAuth PLugin looks similar to an extention I’m desparetly looking for.
What I want is:
Poeple log onto our password protected customer site. From there, there is a link to mediawiki. I would like, that those people get auto logined to the wiki site with the same username. No need to press the login button and type in username and password. They have already done it. Actually they didn’t, they got autologined via our desktop software into our customer web site.
Is that possible? And can your code be adjusted to that?
To be honest. I am familiar with PHP. But to adjust your mediawiki extention for my purpose is far too challenging for me. Additionally, I’m willing to pay for your help and support in this subject. Please contact me. You should have my email address.
Thanks a lot in advance.
Greetings
Rainer