[horde] Autologin into Horde
Michael M Slusarz
slusarz at horde.org
Tue Apr 16 23:00:32 UTC 2013
Quoting Michael M Slusarz <slusarz at horde.org>:
> I guess another possible option would be to regenerate the session
> ID after a certain period of time if the client appears to still be
> active. This eliminates the security concern of someone recovering
> the session ID and being able to use it, while allowing us to forgo
> re-authentication. However, I don't think the framework is in place
> for this to work in dynamic applications if not using COOKIES (there
> may be links present on the page containing the old session ID).
> But maybe we ignore this use-case, since we already heavily disfavor
> non-cookie based sessions as it is?
Played around with this idea this afternoon and it seems to work well.
At a minimum, it provides some protection against session fixation
attacks by periodically changing the session identifier in active
sessions (the regeneration value is either half the maximum session GC
time, or 1 day if no GC is active).
Cookie based sessions see this value automatically updated in the
cookie. Non-cookie based dynamic sessions now send the SID on every
request in order to catch SID changes.
The 1 DoS issue I can think of is if multiple dynamic requests are
received at the same time - if the SID changes in the first request
one of the subsequent cached requests will try to access a
non-existent session and will cause a logout. Although...
1) This should be very rare.
2) I'm actually not sure if this will even occur. Since these
requests are waiting for R/W access on the session data, the old
session data may not be deleted until these queued requests are
completed (likewise, I'm not sure if this will point to the new
session data or the old session data). The documentation doesn't
discuss this in any detail.
3) Although even if PHP behaves in #2, there is still the edge case of
changing the SID and the request returning the SID to the browser, and
in between the time session is closed and the new SID is recieved the
browser fires off a request with the old SID. Not sure if this edge
case is worth dealing with.
An option to fix is to create a periodic request from the browser to
explicitly change the SID that locks out all other requests until it
is completed. It could be scheduled to run at a certain time period
before server-side regeneration would occur to ensure that it always
occurs under controlled conditions.
michael
___________________________________
Michael Slusarz [slusarz at horde.org]
More information about the horde
mailing list