Ok, but we need to discuss the details first.
1. I don't have a clear picture of what auth_browseruid() is used for and whether it will break anything if we change it. I ran a quick code search for it and for buid. Looks to me like we can change it, but let me know if it will cause problems.
Here are my suggestions for improving auth_browseruid(), tell me which ones you agree with:
2. Regarding page locking, in unlock() we have:
if($ip == $INPUT->server->str('REMOTE_USER') || $ip == clientIP() || $session == session_id()) {
@unlink($lock);
So if the IP address matches, the code ignores session_id(). But why is the IP address used at all? For anonymous users, isn't session_id() enough? If only session_id() would be used, this would make page locks work for people editing the wiki from the same IP (which can happen in an office space, for example).
So unless I'm missing something, I propose removing clientIP() from the page locking code. The session_id() seems sufficient. If you agree, I'll prepare a pull request.
3. About AnonIP: the more precise we make auth_browseruid() (using the suggestions above), the more information will be disclosed if the hash is cracked. Here's a hashcat benchmark from 2016, where hashcat rams through MD5 at 200.3 GH/s and SHA256 at 23012 MH/s. Whatever changes we make to auth_browseruid(), it won't offer enough protection for IPv4 users. A determined attacker will just get more info: IP, useragent, language setting.
So, I suggest two options:
- if you agree with removing clientIP() from page locking, the plugin can just set the IP to 0.0.0.0 without causing any problems
- otherwise, the plugin can use session_id() instead of auth_browseruid().
Let me know your thoughts.
PS: By the way, the page locking system can be used in a simple denial of service attack to block anonymous users from editing anything. Some users may be ok with this attack vector being available, but not all. Maybe there should be an option to disable page locking for anonymous users.
Perhaps a better system than page locking would be to just tell you that the page changed while you were editing it, with a message pointing you to the diff. You would be asked again to confirm before saving.