[Tickets #8423] H4 Security Audit

Fri Jul 10 02:57:07 UTC 2009

DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/8423
------------------------------------------------------------------------------
  Ticket             | 8423
  Created By         | Chuck Hagenbuch <chuck at horde.org>
  Summary            | H4 Security Audit
  Queue              | Horde Base
  Version            | HEAD
  Type               | Enhancement
  State              | Assigned
  Priority           | 2. Medium
  Milestone          | 4.0
  Patch              |
  Owners             | Horde Developers, Chuck Hagenbuch
------------------------------------------------------------------------------

Chuck Hagenbuch <chuck at horde.org> (2009-07-09 22:57) wrote:

deprecate blatantly insecure auth schemes; make sure to use a salted  
auth scheme by default

need a hook or setting to limit # of unsuccessful login attempts to horde

need a hook or setting to limit easily guessable passwords

require re-authentication before changing passwords, or other  
sensitive operations

don't use the same secret key for multiple purposes
allow key rotation

reference:
http://cookies.lcs.mit.edu/
http://pdos.csail.mit.edu/papers/webauth:sec10.pdf

make sure cookies are set with the secure flag when ssl is used

get rid of URL-based sessions entirely

limit the lifetime of even session-based cookies

authenticator cookie:
exp=t&data=s&digest=MAC(xp=t&data=s)
- push the username and some other basic info (browser string, ip, ...  
?) into the data parameter ("s"), to avoid having to init the session  
on most page loads

- store other session data by key in a backend, accessed on-demand and  
saved only when dirty? what about commonly used info like prefs? cache  
with username in the key in the cache backend instead?