[ckan-dev] Invalidate session on the server, is this even possible?

• Previous message: [ckan-dev] Invalidate session on the server, is this even possible?
• Next message: [ckan-dev] Invalidate session on the server, is this even possible?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

We already use HTTPS, so yes it is mitigated that way. But still: an
attacker could steal the cookie (in what way ever), and the user
should be able to "logout" and thus end this very session. The part I
don't understand is, that the auth_tk thingy seems to depend
completely on the session cookie on the client side, where is this
information on the server?

- Stefan

On Fri, Feb 13, 2015 at 11:42 AM, Alex (Maxious) Sadleir
<maxious at gmail.com> wrote:
> Just tried doing a login/logout/login on demo.ckan.org and it did
> rotate the auth_tkt. I don't know if you can have a maximum lifetime
> of an auth_tkt though.
>
> https://en.wikipedia.org/wiki/Firesheep demonstrated that it's
> possible to take cookies from other users on a wireless network and
> impersonate them on certain web sites like Facebook and Twitter.
>
> To mitigate that threat, people probably want to force users to login
> (because their password would transmit in plain text) and use CKAN
> sites over HTTPS.
> This will become much easier later this year with the launch of Let's
> Encrypt https://letsencrypt.org/ which will provide free automated
> SSL/TLS certificates so there's no longer barriers to implementing
> HTTPS.
>
> On Fri, Feb 13, 2015 at 9:15 PM, Stefan Oderbolz
> <stefan.oderbolz at liip.ch> wrote:
>> Hi there,
>>
>> we have currently a security issue on one of our CKAN instances. I'm
>> not really the expert, but as far as I understood CKAN uses the
>> auth_tkt plugin from repoze.who to authenticate a user a its session.
>> The auth_tk cookie therefore contains all the session data which is
>> then used to authenticate a user.
>>
>> Now if a user logs out this cookie is deleted and the next time he
>> logs in a new session cookie is created. If now an attacker can copy
>> the content of the auth_tk cookie, then he could still use the session
>> to access the site. So afaik this means the session is never really
>> invalidated on the server side. By looking at the code I don't really
>> understand how it works. There must be some kind of session
>> information on the server side, right? Shouldn't it be possible to
>> delete that once a user logs out, so that actually the session is not
>> valid anymore? Or how does that work?
>>
>> Any help would be very much appreciated.
>>
>> Cheers Stefan
>>
>> PS: We're talking here about CKAN 2.2. The auth_tk stuff is here:
>> https://github.com/ckan/ckan/blob/c260d58387167c660c4981b0305d514693064e20/ckan/lib/auth_tkt.py
>> and what appears to be the session handling is here:
>> https://github.com/ckan/ckan/blob/40a4befc7cb68ad621558e6bb2c70621afffc0cd/ckan/lib/base.py#L292
>>
>> --
>> Liip AG  // Limmatstrasse 183 //  CH-8005 Zürich
>> Tel +41 43 500 39 80 // GnuPG 0x7B588C67 // www.liip.ch
>> _______________________________________________
>> ckan-dev mailing list
>> ckan-dev at lists.okfn.org
>> https://lists.okfn.org/mailman/listinfo/ckan-dev
>> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
> _______________________________________________
> ckan-dev mailing list
> ckan-dev at lists.okfn.org
> https://lists.okfn.org/mailman/listinfo/ckan-dev
> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev



-- 
Liip AG  // Limmatstrasse 183 //  CH-8005 Zürich
Tel +41 43 500 39 80 // GnuPG 0x7B588C67 // www.liip.ch

• Previous message: [ckan-dev] Invalidate session on the server, is this even possible?
• Next message: [ckan-dev] Invalidate session on the server, is this even possible?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]