Fossil

Check-in [261e5534]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Additional clarification in the Password Management document.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | experimental
Files: files | file ages | folders
SHA1: 261e55346d1b98dd7c2adb24c364c75545d4a054
User & Date: drh 2010-01-11 16:21:46
Context
2010-01-12
13:55
Merge the experimental password changes into the trunk. check-in: 596f3c10 user: drh tags: trunk
2010-01-11
16:21
Additional clarification in the Password Management document. Closed-Leaf check-in: 261e5534 user: drh tags: experimental
16:09
Updates to the Password Management document. check-in: 1cba86ea user: drh tags: experimental
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to www/password.wiki.

49
50
51
52
53
54
55










56
57
58
59
60
61
62

The only way to insert a new cleartext password into the USER table
is to do so manually using SQL commands.  For example:

<blockquote><pre>
UPDATE user SET pw='asdfg' WHERE login='alice';
</pre></blockquote>











<h2>Web Interface Authtentication</h2>

When a user logs into Fossil using the web interface, the login name
and password are sent in the clear to the server.  The server then
hashes the password and compares it against the value stored in USER.PW.
If they match, the server sets a cookie on the client to record the







>
>
>
>
>
>
>
>
>
>







49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72

The only way to insert a new cleartext password into the USER table
is to do so manually using SQL commands.  For example:

<blockquote><pre>
UPDATE user SET pw='asdfg' WHERE login='alice';
</pre></blockquote>

Note that an password that is an empty string or NULL will disable
all login for that user.   Thus, to lock a user out of the system,
one has only to set their password to an empty string, using either
the web interface or direct SQL manipulation of the USER table.
Note also that the password field is
essentially ignored for the special users named "anonymous", "developer",
"reader", and "nobody".  It is not possible to authenticate as users
"developer", "reader", or "nobody" and the authentication protocol
for "anonymous" use one-time captchas not persistent passwords.

<h2>Web Interface Authtentication</h2>

When a user logs into Fossil using the web interface, the login name
and password are sent in the clear to the server.  The server then
hashes the password and compares it against the value stored in USER.PW.
If they match, the server sets a cookie on the client to record the