[wp-hackers] Single sign-on with Wordpress & Mediawiki

Callum Macdonald lists.automattic.com at callum-macdonald.com
Tue Oct 30 21:49:54 GMT 2007


I agree, it sounds very much like OpenID.

Rather than re-invent the wheel I'd suggest using OpenID as a basis. 
There are OpenID plugins for an awful lot of OSS apps out there already, 
including WordPress, MediaWiki, etc.

I'm not sure WordPress makes the best base to store the user tables.
1) Passwords are stored insecurely (the hashes should be salted)
2) The login cookies are ridiculously easy to fake (simply md5 what's in 
the db)

Something which stores passwords salted, and keeps a separate key for 
login would be much more secure. If you suspect your database might have 
been stolen, simply update all the login tokens. Every user has to log 
in again, no major inconvenience .With WordPress, you'd have to send 
everyone new passwords, major pain in the ass.

That's my tuppence worth!

Cheers - Callum.

DD32 wrote:
> On Tue, 30 Oct 2007 08:18:28 +1100, Sneaks <0vcqn5q02 at sneakemail.com> wrote:
>   
>> how about an open-source, WP-suite of auth sharing plugins for commonly
>> bundled software?
>>
>> 1. mediawiki
>> 2. bbPress
>> 3. ??
>>
>> i'll host SVN and a website if anyone wants to do this.
>>     
>
> I was just thinking of something similar, Something which acts like Googles signin page might be good, All sign in attempts get redirected from 3rd party software to WP's login page, If the user is allready logged in, it redirects back to the application with a key, the plugin in that software package reads the key, checks if its correct, and then logs the user into that application too, Actually, Thats sounding a bit like OpenID, exept more streamlined for a single domain.
>
> That is assuming that other software have the great plugin hooking abilities that WP has :)
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
>
>   



More information about the wp-hackers mailing list