<div>
<ul>
- <li><a href="#TWiki Authentication"> TWiki Authentication</a><ul>
- <li><a href="#Authentication Options"> Authentication Options</a></li>
- <li><a href="#Tracking by IP Address"> Tracking by IP Address</a></li>
+ <li><a href="#TWiki User Authentication"> TWiki User Authentication</a><ul>
+ <li><a href="#Overview"> Overview</a></li>
+ <li><a href="#Authentication Options"> Authentication Options</a><ul>
+ <li><a href="#Partial Authentication"> Partial Authentication</a></li>
+ </ul>
+ </li>
<li><a href="#TWiki Username vs. Login Usernam"> TWiki Username vs. Login Username</a></li>
+ <li><a href="#Changing Passwords"> Changing Passwords</a></li>
</ul>
</li>
</ul>
</div>
-## <a name="TWiki Authentication"></a> TWiki Authentication
+## <a name="TWiki User Authentication"></a> TWiki User Authentication
-TWiki does not authenticate users internally, it depends on the <code>**REMOTE\_USER**</code> environment variable. This variable is set when you enable basic authentication or authentication via SSL (https protocol).
+_TWiki site access control and user activity tracking_
+
+### <a name="Overview"></a> Overview
+
+TWiki does not authenticate users internally, it depends on the <code>**REMOTE\_USER**</code> environment variable. This variable is set when you enable Basic Authentication (.htaccess) or SSL "secure server" authentication (https protocol).
TWiki uses visitor identification to keep track of who made changes to topics at what time and to manage a wide range of personal site settings. This gives a complete audit trail of changes and activity.
### <a name="Authentication Options"></a> Authentication Options
-No special installation steps need to be performed if the server is already authenticated. If not, you have three remaining options to controlling user access:
+No special installation steps need to be performed if the server is already authenticated. If not, you have three standard options for controlling user access:
+
+1. **Forget about authentication** to make your site completely public - anyone can browse and edit freely, in classic Wiki mode. All visitors are assigned the [[TWikiGuest]] default identity, so you can't track individual user activity. <br />
+2. **Use SSL** (Secure Sockets Layer; HTTPS) to authenticate and secure the whole server. <br />
+3. **Use Basic Authentication (HTAccess)** to control access by protecting key scripts: `attach`, `edit=`, `installpasswd`, `password`, `preview`, `rename`, `save`, `upload`, `view`, `viewfile` using .htaccess files. The [[TWiki Installation Guide|Main/TWikiDocumentation#TWiki_Installation_Notes]] has step-by-step instructions.
+
+#### <a name="Partial Authentication"></a> Partial Authentication
-1. **Forget about authentication.** All changes are registered to [[TWikiGuest]] user, so you can't tell who made changes. Your site is completely open and public.
-2. **Use Basic Authentication** for the <code>**edit**</code> and <code>**attach**</code> scripts. This uses .htaccess and generates the familiar grey log-in window. [[TWiki Installation Notes|Main/TWikiDocumentation#TWiki_Installation_Notes]] has more.
-3. **Use SSL** to authenticate and secure the whole server.
+**Tracking by IP address** is an experimental feature, enabled in `lib/TWiki.cfg`. It lets you combine open access to some functions, with authentication on others, with full user activity tracking:
-### <a name="Tracking by IP Address"></a> Tracking by IP Address
+- Normally, the <code>**REMOTE\_USER**</code> environment variable is set for the scripts that are under authentication. If, for example, the <code>**edit**</code>, <code>**save**</code> and <code>**preview**</code> scripts are authenticated, but not <code>**view**</code>, you would get your [[WikiName]] in <code>**preview**</code> for the <code>**%WIKIUSERNAME%**</code> variable, but <code>**view**</code> will show <code>**TWikiGuest**</code> instead of your WikiName.
-The <code>**REMOTE\_USER**</code> environment variable is only set for the scripts that are under authentication. If, for example, the <code>**edit**</code>, <code>**save**</code> and <code>**preview**</code> scripts are authenticated, but not <code>**view**</code>, you would get your [[WikiName]] in <code>**preview**</code> for the <code>**%WIKIUSERNAME%**</code> variable, but <code>**view**</code> will show <code>**TWikiGuest**</code> instead of your WikiName.
+- TWiki can be configured to remember the IP address/username pair whenever an authentication happens (edit topic, attach file). Once remembered, the non-authenticated scripts, like <code>**view**</code>, will show the correct username instead of [[TWikiGuest]].
-There is a way to tell TWiki to remember the user for the scripts that are not authenticated, ex: in case the <code>**REMOTE\_USER**</code> environment variable is not set. TWiki can be configured to remember the IP address/username pair whenever an authentication happens (edit topic, attach file). Once remembered, the non-authenticated scripts like <code>**view**</code> will show the correct username instead of <code>**TWikiGuest**</code>. You can enable this by setting the <code>**$doRememberRemoteUser**</code> flag in <code>**TWiki.cfg**</code>. TWiki persistently stores the IP address / username pairs in file <code>**$remoteUserFilename**</code>, which is <code>**"$dataDir/remoteusers.txt"**</code> by default. Please note that this can fail if the IP address changes due to dynamically assigned IP addresses or proxy servers.
+- Enable this feature by setting the <code>**$doRememberRemoteUser**</code> flag in `TWiki.cfg`. TWiki then persistently stores the IP address/username pairs in the file, `$remoteUserFilename`, which is `"$dataDir/remoteusers.txt"` by default.
-**Authentication Test:** You are Main.admin (%WIKIUSERNAME%)
+- **_NOTE:_** This approach can fail if the IP address changes due to dynamically assigned IP addresses or proxy servers.
+
+**Quick Authentication Test** - Use the %WIKIUSERNAME% variable to return your current identity:
+
+- You are Main.admin
### <a name="TWiki Username vs. Login Usernam"></a> TWiki Username vs. Login Username
%WIKITOOLNAME% internally manages two usernames: Login username and TWiki username.
- **Login username:** When you login to the intranet, you use your existing login username, ex: <code>**pthoeny**</code>. This name is normally passed to %WIKITOOLNAME% by the <code>**REMOTE\_USER**</code> environment variable, and used by internally by %WIKITOOLNAME%. Login usernames are maintained by your system administrator.
+
- **TWiki username:** Your name in [[WikiNotation]], ex: <code>**PeterThoeny**</code>, is recorded when you register using [[TWikiRegistration]]; doing so also generates a personal home page in the Main web.
%WIKITOOLNAME% can automatically map an intranet username to a TWiki username, provided that the username pair exists in the [[TWikiUsers]] topic. This is also handled automatically when you register.
>
> everywhere but in the Main web.
+<a name="ChangingPasswords"></a>
+
+### <a name="Changing Passwords"></a> Changing Passwords
+
+Change and reset passwords using forms on regular pages. Use [[TWikiAccessControl]] to restrict use as required.
+
+- The [[ChangePassword]] form ( <code>**TWiki/ChangePassword**</code> ):
+
+>
+
+- The [[ResetPassword]] form ( <code>**TWiki/ResetPassword**</code> ):
+
+>
+
-- [[PeterThoeny]] - 16 Mar 2001 <br /> -- [[MikeMannix]] - 29 Aug 2001