• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..Today-

lang/H28-May-2020-161114

README.mdH A D28-May-20208 KiB167114

TODOH A D28-May-2020483 147

action.phpH A D28-May-20202.6 KiB7350

admin.phpH A D28-May-20203.5 KiB11067

helper.phpH A D28-May-20206.6 KiB215165

plugin.info.txtH A D28-May-2020265 76

rsalib.jsH A D28-May-202021.8 KiB990804

script.jsH A D28-May-20201.4 KiB4832

securelogin.jsH A D28-May-20204.9 KiB137114

style.cssH A D28-May-2020139 66

README.md

1# Securelogin Dokuwiki Plugin
2
3**Not Maintained** - *While it still works with the below versions, this repo has been archived. See the [Plugin page](https://www.dokuwiki.org/plugin:securelogin) for any updated details, patches, or for those who may wish to adopt it.*
4
5This plugin uses [Tom Wu's implementation of the RSA algorithm in JavaScript](http://www-cs-students.stanford.edu/~tjw/jsbn/) on the client browser (before it leaves your computer) to encrypt the login password with the server's public key. The encrypted password is then sent to the server where it can be decrypted. Man-in-the-middle attacks are prevented by adding a variable token (salt) to the password before encrypting. Therefore, replay attacks don't work.
6
7When Securelogin is used, there is always a `use securelogin` checkbox near the password field. If the browser has no JavaScript or JavaScript is disabled, then obviously, the passwords are sent in clear text, as they are by default with DokuWiki. In this case though, the user *should* notice the absence of the checkbox.
8
9Also, whenever a password has to be entered, it is automagically encrypted by this plugin, be it on the login, profile, or admin pages.
10
11In short, it takes your password:
12
13```
14p:MySecretPa$$word
15```
16
17And instead has the login/profile/admin page submit the password as:
18
19```
20securelogin:M66YMHFzjl9qXa96zr2JzDWlV3WTE+4mOgJZNNr3yW9xPzSORtSIjp+ZNczopNUp5N0M0ASiqutgf1nio+iTN....
21```
22
23### Works with
24
25  * 2018-04-22b "Greebo"
26  * 2017-02-19 "Frusterick Manners"
27  * 2016-06-26 "Elenor Of Tsort"
28  * 2015-08-10 "Detritus"
29  * 2014-09-29 "Hrun"
30
31### Uses RSA, which may be vulnerable to certain attacks
32
33Attacks against RSA have become easier. This plugin uses RSA and needs to be rewritten to use a different library/encryption mechanism. As it is, it may be vulnerable to certain targeted man-in-the-middle attacks. Though it appears that those attacks may still be fairly expensive against a regular wiki site. If in doubt, see the next section.
34
35
36### Please use HTTPS, CORS, and others
37
38This plugin was made when HTTPS was pricey (for a wiki), but we still wanted as much security as we could get. Now that one can easily have HTTPS, CORS, [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity), etc, it's not as relevant. Consider it as just a possible extra layer of security. Your first priority should always be a good server setup with the latest in security. I've left this here for those that want it.
39
40Because good security is like a onion. You want a lot of layers in order keep things protected even *when* some layers fail.
41
42### CAPTCHA Plugin Login Issue
43
44If the [CAPTCHA plugin](https://www.dokuwiki.org/plugin:captcha) is enabled on the login page with this plugin, the CAPTCHA will not be processed. ie, the user can enter whatever, and the login will be processed like normal. So Bots can attempt to login and ignore the CAPTCHA.
45
46A wrong password will still fail. And Securelogin will still encrypt the password. The login will just act as if CAPTCHA is not installed. The CAPTCHA plugin should still work elsewhere on the site.
47
48### Installation and Setup
49
50  - Search for and install the plugin using the [Extension Manager](https://www.dokuwiki.org/plugin:extension).
51  - Once installed, go the Admin page and select "Secure login configuration".
52  - Under "Generate new key pair", click the "Generate" button.
53  - Click the "Test" button to verify your setup. If all is working, a bubble will appear containing whatever was in the "Test Message" box.
54
55You're done. From then on, all passwords are encrypted before being sent.
56
57To manually install the plugin, please see the [manual install instructions](https://www.dokuwiki.org/plugin_installation_instructions). Then follow the last three steps above.
58
59### Older Versions
60
61> Don't use this unless you have to. It's not supported. It's better to upgrade your Installation.
62
63For support for these older versions use [this version of Securelogin](https://github.com/dokuwiki-securelogin-archive/dokuwiki-securelogin/archive/c1f0a0e018cedfd29a48ab157098efe480e37049.zip) and install it manually.
64  * 2014-05-05 "Ponder Stibbons"
65  * 2013-12-08 "Binky"
66  * 2013-05-10a Weatherwax
67  * 2012-10-13 Adora Belle
68
69## Details of how it works
70
71Normally when you submit your 'MySecretPa$$word', you will see it in the data transfer:
72
73```
74sectok:
75id:start
76do:login
77u:MyUser
78p:MySecretPa$$word
79```
80
81You can easily see the 'MySecretPa$$word' in the above example.
82
83But when you use this plugin, it will encrypt the password, which can only be decrypted on the server.
84
85```
86sectok:
87id:start
88do:login
89u:MyUser
90p:******
91use_securelogin:1
92securelogin:M66YMHFzjl9qXa96zr2JzDWlV3WTE+4mOgJZNNr3yW9xPzSORtSIjp+ZNczopNUp5N0M0ASiqutgf1nio+iTNj3pS24kHD1LZb6GcG7cFvpr/uzfxJsO8jAbFD6/ZkB0xy9vBMabn3BYP7GWLrTR3b/7zNdla/FdqjX9U48dHMrcO2/ZFJKLsdzt84/bC+3xoV7/qC/BZO5AbQ37SvLEC7DaMTMtbSqlF573Y0iOMb3wYe1rj2m/HQiBM8ro25OBfnUxmgJFMVVkfkLdNUepRjUeeJSXF+R5XDcO2L4uX9D8AOE8nSecRn+0gqwz6PzPPqEpv60y0Io1rZXevG+I9Q==
93```
94
95The javascript on the page takes the form's password variable `p=MySecretPa$$word`, encrypts it with the provided salt (that changes on each page load), and sets the result as `securelogin`. It also replaces `p`'s value with stars so it can't submit the password in the clear.
96
97When the server receives the data, it sees that `use_securelogin` is set to `1` (true), so it knows the password was encrypted. It will decrypt the `securelogin` variable and separate it from the salt value. From this it gets the `p=MySecretPa$$word` value, which it sets so the Dokuwiki authentication routines have it. Dokuwiki can then compare the passwords like it normally does.
98
99This same process happens during the add user, modify user, and edit profile options. This is what will be seen if someone views a user changing their password:
100
101```
102do:profile
103fullname:MyUser
104email:user@example.com
105newpass:******
106passchk:******
107oldpass:******
108use_securelogin:1
109securelogin:mCUIwYbHRgNjmAkr1CHssH8g1ZAgGKIxsFsMZUN1XM703V2g4hB5upzfJeVyE/aT9ByOYxQChbhRyJezjD7jO4LKwlgBR/Jnqkr+rUr70MLcoRybM8maTGdAGDM3VweSylqAGOASKb87hKYb0URUFo+yfGaKp572IWCfSZDHLrP1Hrs/f7EYKXozXpMNHA3l/VXNm2wGAwvkvnfFgkRZonrdfdUlLDC0OkBpa3WawMqoYb+1/kcuGsBcAve0Tp+uMQZw8FwHj8SOp9kJLUnEqXrop2pXa3mc9j8NS54CeCbJuJ0qfEhUHIE9/BHUgbmCPQV6XNWttZbRp8r1Q1dG/g==
110```
111
112In this case, all three passwords are encrypted into `securelogin`, and the post values replaced with stars.
113
114## Changelog
115
116  * **20200527**
117    * Updated url to archived location of repo.
118
119  * **20200418**
120    * Quoted array keys for php 7.2
121
122  * **20180217** Thanks to [Christian Paul](https://github.com/jaller94) for reporting
123    * Fixed issue where second password was not encrypted on add/modify users
124
125  * **20150928** Thanks to [Satoshi Sahara](https://github.com/ssahara)
126    * made compatible with DokuWiki 2015-08-10 "Detritus"
127    * replace deprecated split() function call
128    * prevent PHP error output
129    * use PHP5 constructor method for classes
130    * Improved coding style and added license header in source files
131
132  * **20140923** Thanks to [Hideaki SAWADA](https://github.com/sawachan)
133    * Japanese language files added
134
135  * **20140417**
136    * Changed download link per Mikhail I. Izmestev's [request](http://github.com/izmmisha/dokuwiki-securelogin/pull/1)
137    * Updates to plugin info in admin page, like the website link and more unified info.
138
139  * **20130519**
140    * added jQuery patches. Thanks to Casper
141
142  * **20101121**
143    * add german translation. Thanks to Heiko Barth
144    * fix finding pubkey info with openssl 0.9.8
145    * fix escaping encoded data (now supports non ascii passwords)
146
147  * **20101105**
148    * fixed support php < 5.2
149    * added plugin.info.txt
150
151  * **20101101** Thanks to Christophe Martin
152    * fix bug with some chars in passwords
153
154  * **20091213**
155    * add support of usermanager plugin
156
157  * **20091206** Thanks to Christophe Martin
158    * fix unclosed < div id="secure__login" >
159    * add showlogin compat
160
161  * **20090901** Thanks to Jan Hána
162    * add Czech translation
163
164  * **20090802** Thanks to Christophe Martin
165    * fix problem with URL-rewrite DokuWiki method
166    * add French translation
167