[ckan-dev] Invalidate session on the server, is this even possible?

• Previous message: [ckan-dev] Invalidate session on the server, is this even possible?
• Next message: [ckan-dev] Invalidate session on the server, is this even possible?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Just tried doing a login/logout/login on demo.ckan.org and it did
rotate the auth_tkt. I don't know if you can have a maximum lifetime
of an auth_tkt though.

https://en.wikipedia.org/wiki/Firesheep demonstrated that it's
possible to take cookies from other users on a wireless network and
impersonate them on certain web sites like Facebook and Twitter.

To mitigate that threat, people probably want to force users to login
(because their password would transmit in plain text) and use CKAN
sites over HTTPS.
This will become much easier later this year with the launch of Let's
Encrypt https://letsencrypt.org/ which will provide free automated
SSL/TLS certificates so there's no longer barriers to implementing
HTTPS.

On Fri, Feb 13, 2015 at 9:15 PM, Stefan Oderbolz
<stefan.oderbolz at liip.ch> wrote:
> Hi there,
>
> we have currently a security issue on one of our CKAN instances. I'm
> not really the expert, but as far as I understood CKAN uses the
> auth_tkt plugin from repoze.who to authenticate a user a its session.
> The auth_tk cookie therefore contains all the session data which is
> then used to authenticate a user.
>
> Now if a user logs out this cookie is deleted and the next time he
> logs in a new session cookie is created. If now an attacker can copy
> the content of the auth_tk cookie, then he could still use the session
> to access the site. So afaik this means the session is never really
> invalidated on the server side. By looking at the code I don't really
> understand how it works. There must be some kind of session
> information on the server side, right? Shouldn't it be possible to
> delete that once a user logs out, so that actually the session is not
> valid anymore? Or how does that work?
>
> Any help would be very much appreciated.
>
> Cheers Stefan
>
> PS: We're talking here about CKAN 2.2. The auth_tk stuff is here:
> https://github.com/ckan/ckan/blob/c260d58387167c660c4981b0305d514693064e20/ckan/lib/auth_tkt.py
> and what appears to be the session handling is here:
> https://github.com/ckan/ckan/blob/40a4befc7cb68ad621558e6bb2c70621afffc0cd/ckan/lib/base.py#L292
>
> --
> Liip AG  // Limmatstrasse 183 //  CH-8005 Zürich
> Tel +41 43 500 39 80 // GnuPG 0x7B588C67 // www.liip.ch
> _______________________________________________
> ckan-dev mailing list
> ckan-dev at lists.okfn.org
> https://lists.okfn.org/mailman/listinfo/ckan-dev
> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev

• Previous message: [ckan-dev] Invalidate session on the server, is this even possible?
• Next message: [ckan-dev] Invalidate session on the server, is this even possible?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]