[ckan-dev] Invalidate session on the server, is this even possible?

Stefan Oderbolz stefan.oderbolz at liip.ch
Fri Feb 13 10:15:55 UTC 2015


Hi there,

we have currently a security issue on one of our CKAN instances. I'm
not really the expert, but as far as I understood CKAN uses the
auth_tkt plugin from repoze.who to authenticate a user a its session.
The auth_tk cookie therefore contains all the session data which is
then used to authenticate a user.

Now if a user logs out this cookie is deleted and the next time he
logs in a new session cookie is created. If now an attacker can copy
the content of the auth_tk cookie, then he could still use the session
to access the site. So afaik this means the session is never really
invalidated on the server side. By looking at the code I don't really
understand how it works. There must be some kind of session
information on the server side, right? Shouldn't it be possible to
delete that once a user logs out, so that actually the session is not
valid anymore? Or how does that work?

Any help would be very much appreciated.

Cheers Stefan

PS: We're talking here about CKAN 2.2. The auth_tk stuff is here:
https://github.com/ckan/ckan/blob/c260d58387167c660c4981b0305d514693064e20/ckan/lib/auth_tkt.py
and what appears to be the session handling is here:
https://github.com/ckan/ckan/blob/40a4befc7cb68ad621558e6bb2c70621afffc0cd/ckan/lib/base.py#L292

-- 
Liip AG  // Limmatstrasse 183 //  CH-8005 Zürich
Tel +41 43 500 39 80 // GnuPG 0x7B588C67 // www.liip.ch



More information about the ckan-dev mailing list