1 3281ec97 2023-03-06 jrmu version=pmwiki-2.3.14 ordered=1 urlencoded=1
3 5127fd58 2021-12-17 jrmu charset=UTF-8
4 3281ec97 2023-03-06 jrmu csum=$CookieSameSite (+265)
5 5127fd58 2021-12-17 jrmu ctime=1156512569
6 5127fd58 2021-12-17 jrmu name=PmWiki.SecurityVariables
8 3281ec97 2023-03-06 jrmu targets=PmWiki.SecurityVariables,PmWiki.PasswordsAdmin,PmWiki.AuthUser,PmWiki.Functions,PmWiki.AvailableActions,Cookbook.FailedLoginFunction,PmWiki.EditVariables,PmWiki.UploadVariables,PmWiki.Security,PmWiki.PagelistVariables
9 3281ec97 2023-03-06 jrmu text=(:Summary:variables crucial for site security:)%0a:$AllowPassword: This variable contains the special "nopass" password which was used in the past to leave pages or groups accessible without a password. Recent PmWiki versions use "@nopass" instead. If your wiki is old and/or may contain pages with the "nopass" password, you should not change it. If that variable is empty or set to false, PmWiki will not check if pages have a special "allowed password".%0a%0a:$DefaultPasswords: Specifies default passwords for user admin or actions (edit, read, upload). See [[PmWiki/PasswordsAdmin#settingsitewidepasswords]].%0a%0a:$DenyHtaccessContent: Specifies the default content for @@.htaccess@@ files created by PmWiki in new directories under wiki.d. The Apache server [[https://httpd.apache.org/docs/2.4/upgrading.html#run-time|changed these directives in version 2.4]]. The default value should work for both new and older server versions.%0a%0a:$EnablePostAttrClearSession: A switch to control whether or not changing a page's attributes causes any existing passwords to be forgotten. The default is that changing attributes forgets any passwords entered; this can be changed by setting $EnablePostAttrClearSession to zero.%0a%0a:$EnableSessionPasswords: Control whether passwords are saved as part of the session. If set to zero, then session passwords are never saved (although any [[AuthUser]] authentications are still remembered).%0a%0a:$SetCookieFunction:A custom function name to send cookies to the browser, instead of @@[[Functions#pmsetcookie|pmsetcookie()]]@@. Should accept the same arguments as @@pmsetcookie()@@.%0a%0a:$EnableCookieSecure:Set to 1 to enable the "[[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie|Secure]]" flag for core PmWiki cookies (will only be transmitted via HTTPS). This includes author, preference, and cache core cookies and any custom cookies set via @@pmsetcookie()@@.\\%0aNote: the session cookie and all other PmWiki cookies are affected.%0a%0a:$EnableCookieHTTPOnly:Set to 1 to enable the "[[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie|HttpOnly]]" flag for core PmWiki cookies (will not be made available to JavaScript). This includes author, preference, and cache core cookies and any custom cookies set via @@pmsetcookie()@@.\\%0aNote: the session cookie and all other PmWiki cookies are affected.%0a%0a:$CookieSameSite: The "[[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie|SameSite]]" flag for cookies sent via @@pmsetcookie()@@, default to 'Lax'. See [[https://techcommunity.microsoft.com/t5/iis-support-blog/samesite-lax-in-the-new-world/ba-p/1156292|article]] about the implications.%0a%0a:$SessionEncode: Function to use to encode sensitive information in sessions. Set this to NULL if you want to not use any encoding. (See also $SessionDecode below.)%0a%0a:$SessionDecode: Function to reverse the decoding given by $SessionEncode above. Set this to NULL if sensitive session values are not encoded.%0a%0a:$HandleAuth:This sets the required authentication Level that is necessary to perform an [[PmWiki/AvailableActions|action]]. When using the following example in your @@config.php@@ you need to be authenticated as editor in order to view the page history:%0a $HandleAuth['diff'] = 'edit';%0a%0a:$PageAttributes:Set the string shown on the attributes page when entering a password for an action.%0a%0a:$AuthLDAPBindDN:For sites using [[AuthUser]] with LDAP authentication, this specifies the distinguished name (DN) to be used to bind to the LDAP server to check identity.%0a%0a:$AuthLDAPBindPassword:For [[AuthUser]] with LDAP authentication, this specifies the password used for binding (in conjunction with $AuthLDAPBindDN above).%0a%0a:$AuthLDAPReferrals:Specifies whether to automatically follow referrals returned by the LDAP server, set 1 to enable or 0 to disable. By default this variable is unset, and the connection follows referrals if they are enabled on the server side (they usually are).%0a%0a:$MultiFactorAuthFunction: ([[AuthUser]] only) A custom function to perform a check for multi-factor-authentication (MFA, 2FA). Called by AuthUserId() if the password authentication has succeeded. This function is called with arguments the username and password, and should return true if the 2FA has succeeded, false otherwise.%0a%0a:$FailedLoginsFunction: ([[AuthUser]] only) A custom function to perform a check for multiple failed logins, see Cookbook:FailedLoginFunction.%0a%0a:$EnablePublishAttr:Adds a new "publish" authorization level to distinguish editing of drafts from publishing - See $EnableDrafts.%0a%0a:$EnablePageVarAuth: In PmWiki versions 2.2.22 and 2.2.23 this variable should be set to 0. In 2.2.24 it will no longer be used.%0a%0a:$RobotActions: An array controlling which [[AvailableActions|actions]] can be reached by web bots. The array keys are the actions, if the value is 1 or true then the action is reachable. If an action is not defined as a key, or if the value for that key evaluates to false or zero, when a bot requests this action it will be refused. By default, only the actions "browse", "rss" and "dc" are reachable by bots. For example:\\%0a@@$RobotActions['download'] = 1; @@ # '''allow''' bots to download files with disabled $EnableDirectDownload (page permissions are respected)\\%0a@@$RobotActions['rss'] = 0; @@ # '''disallow''' bots from getting the RSS feed\\%0a@@$RobotActions['print'] = 1; @@ # allow bots to get the print view\\%0aThe variable can have custom actions used by cookbook recipes as keys.%0a%0a:$RobotPattern: A regular expression pattern with known user-agent strings for bots. %0a%0a:$EnableRobotCloakActions: Setting this flag to 1 will eliminate any forbidden ?action= values from page links returned to robots, which will reduce bandwidth loads from robots even further.%0a%0a%0aSee also:%0a* [[Security]]%0a* $EnablePageListProtect%0a* $EnableDirectDownload%0a
10 3281ec97 2023-03-06 jrmu time=1669022081
