Question

From Paul Johnson, Assoc. Prof., Political Science, University of Kansas <pauljohn@ku.edu>

I installed Twiki on a DEC server where I have a user account. It runs cgi scripts under cgiwrap and the .htaccess file is ignored by the web server.

My page is here in case you want to test it out:

http://www.ku.edu/cgiwrap/pauljohn/twiki/view

Everything works, except the "more" button by the diffs. I have not figured that out yet.

In order to make this go, I've hacked a bit to make it so that the twiki data/libraries are under my home dir, the twiki htdocs files are under public_html/twiki and the cgi scripts are under public_html/cgi-bin/twiki.

Since I can't get .htaccess authentication working, I'm experimenting with ways to "trick" Twiki scripts to work the way I want.

The first step is to use:

$doRememberRemoteUser = "1";

So if the browser does authenticate against anything, many of the TWiki scripts will remember the user. I find that it is possible for me to create a web page with just these contents:

and put an .htaccess file in the dir with that page and it forces authentication before TWiki does the view. So if I log in as a user, then TWiki remembers the user name and it uses it when I edit pages and so forth.

OK, so far so good. IT is not as good as the full authentication you get with .htaccess, but it may be the best I hope for. But what I need now are a couple of administrative tools. Can you help?

1 I need to DISABLE the TWikiGuest access on all pages in my site. If people have not authenticated themselves, I don't want them to be able to do anything. ANd if they fail at something, I want to send them back to that password protected place I mention above.

2 I need a "login" button on every Wiki page so that users are forced to go to the htaccess protected link I refer to above.

3 I need to understand why the browser sometimes remembers the username and password I give, and sometimes it does not. It is very frustrating to me that while I test this I keep having to close Mozilla and go away a while in order to cause the htaccess check to pop up again. If I log in once, it remembers the values I type in and then I can't test any new users.

Has anybody been through this?

• TWiki version: 20011201
• Perl version: 5.6
• Web server: Apache
• Server OS: DEC Alpha
• Web browser: Mozilla
• Client OS: Linux

-- TWikiGuest - 03 Dec 2002

Answer

Some thoughts:

1. DISABLE the TWikiGuest access: In TWikiPreferences set the DENYWEBCHANGE to TWikiGuest. See details in TWikiAccessControl. You might want to add a link to the registration page in templates/oopsaccesschange.tmpl, the message shown on failed authorization.

2. "Login" button on every page: Add a linked button image or a form button to the templates/view.tmpl template, pointing to your login page.

3. User login caching: Basic authentication always sends a username/password request to the browser. The browser prompts the user only the first time, then it does it ion the background so that the user does not need to re-authenticate on every page request. Browser typically do not hava a way to forget about the caching, that is why you need to restart your browser. Some browsers might have a prefereneces setting where you can clear the user name/password caching.

-- PeterThoeny - 06 Dec 2002

Thank You Very Much

Your advice in 1 and 2 works fine. With the Login button I create, the users always end up back at the main view page, but aside from that, I think everything is working fine now.

Paul Johnson <pauljohn@kuSTOPSPAM.edu> - 06 Dec 2002